Threat actors are abusing the ScreenConnect remote access tool to deploy AsyncRAT malware, according to Kaspersky. This activity is part of a large, multi-language campaign that distributes malicious installer archives hosted on spoofed websites, according to a recent report by The Hacker News.These malicious installers are disguised as popular software such as OBS Studio and Bandicam, with over 90 domain names identified across 10 languages. The attack chain begins with a legitimate, signed Microsoft install.exe binary bundled with a rogue install.res.1033.dll library. This library is loaded via DLL side-loading, deploying the ScreenConnect service to await further instructions. Once active, ScreenConnect executes a PowerShell script that configures Microsoft Defender exclusions, disables User Account Control, and creates a VBScript file. This VBScript then generates several files in the public directory and triggers a hidden PowerShell script.This script extracts the AsyncRAT module from a text file using process hollowing and establishes a connection to a remote server, allowing covert control, data theft, and screen recording. Persistence is maintained through a scheduled task that runs every two minutes, ensuring the attack chain restarts after a reboot. Threat actors leverage SEO techniques to push these fraudulent websites to the top of search engine results.Source: The Hacker News
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds




