Malware

ScreenConnect abused to deploy AsyncRAT in widespread campaign

Threat actors are abusing the ScreenConnect remote access tool to deploy AsyncRAT malware, according to Kaspersky. This activity is part of a large, multi-language campaign that distributes malicious installer archives hosted on spoofed websites, according to a recent report by The Hacker News.

These malicious installers are disguised as popular software such as OBS Studio and Bandicam, with over 90 domain names identified across 10 languages. The attack chain begins with a legitimate, signed Microsoft install.exe binary bundled with a rogue install.res.1033.dll library. This library is loaded via DLL side-loading, deploying the ScreenConnect service to await further instructions. Once active, ScreenConnect executes a PowerShell script that configures Microsoft Defender exclusions, disables User Account Control, and creates a VBScript file. This VBScript then generates several files in the public directory and triggers a hidden PowerShell script.

This script extracts the AsyncRAT module from a text file using process hollowing and establishes a connection to a remote server, allowing covert control, data theft, and screen recording. Persistence is maintained through a scheduled task that runs every two minutes, ensuring the attack chain restarts after a reboot. Threat actors leverage SEO techniques to push these fraudulent websites to the top of search engine results.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds