""The attacker used ScreenConnect to gain remote access, then executed a layered VBScript and PowerShell loader that fetched and ran obfuscated components from external URLs," LevelBlue said in a report shared with The Hacker News. "These components included encoded .NET assemblies ultimately unpacking into AsyncRAT while maintaining persistence via a fake 'Skype Updater' scheduled task.""
"The script, for its part, is designed to retrieve two external payloads ("logs.ldk" and "logs.ldr") from an attacker-controlled server by means of a PowerShell script. The first of the two files, "logs.ldk," is a DLL that's responsible for writing a secondary Visual Basic Script to disk, using it to establish persistence using a scheduled task by passing it off as "Skype Updater" to evade detection."
Attackers leverage ConnectWise ScreenConnect remote sessions to execute a layered VBScript and PowerShell loader that downloads obfuscated components from external servers. Phishing deliveries include trojanized ScreenConnect installers masquerading as financial or business documents to enable hands-on-keyboard execution. The PowerShell retrieves two payloads, logs.ldk (a DLL) and logs.ldr, and loads logs.ldk as a .NET assembly. The DLL writes a secondary Visual Basic Script and creates a scheduled task labeled 'Skype Updater' to ensure persistence across logins. The loaded assembly processes logs.ldr to launch AsyncClient.exe, which unpacks and runs AsyncRAT to exfiltrate sensitive data from compromised hosts.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]