EXECUTIVE SUMMARY:
A malware campaign leveraging a memory-resident loader to deploy a remote access tool through deceptive distribution techniques. The attack begins with a fake software download page impersonating legitimate services, luring users into executing a malicious script under the guise of trusted content. This campaign demonstrates a growing trend in cyber threats where attackers blend social engineering with fileless malware techniques to evade detection. Instead of relying on traditional executable payloads, the attackers use scripting languages and in-memory execution to minimize their forensic footprint. The use of a legitimate remote monitoring and management (RMM) tool such as ScreenConnect further complicates detection, as it allows attackers to blend malicious activity with normal administrative operations. This approach enables persistent access, remote control, and potential lateral movement within compromised environments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A malware campaign leveraging a memory-resident loader to deploy a remote access tool through deceptive distribution techniques. The attack begins with a fake software download page impersonating legitimate services, luring users into executing a malicious script under the guise of trusted content. This campaign demonstrates a growing trend in cyber threats where attackers blend social engineering with fileless malware techniques to evade detection. Instead of relying on traditional executable payloads, the attackers use scripting languages and in-memory execution to minimize their forensic footprint. The use of a legitimate remote monitoring and management (RMM) tool such as ScreenConnect further complicates detection, as it allows attackers to blend malicious activity with normal administrative operations. This approach enables persistent access, remote control, and potential lateral movement within compromised environments.[emaillocker id="1283"]
The infection chain begins with the delivery of a heavily obfuscated VBScript file that acts as the initial loader. Upon execution, the script launches a PowerShell command designed to retrieve and execute a secondary payload directly in memory, avoiding disk-based detection mechanisms. This second-stage payload is typically a .NET-based loader that decrypts and loads additional components dynamically. The malware employs several defense evasion techniques, including string obfuscation, encoded commands, and manipulation of process execution flows. A notable technique observed in this campaign is the use of COM-based UAC bypass methods, allowing the malware to escalate privileges without triggering user prompts. Additionally, the loader leverages Process Environment Block (PEB) spoofing to disguise its execution context and evade behavioral analysis tools. Once the environment is prepared, the malware deploys ScreenConnect, a legitimate remote access software, enabling attackers to establish persistent control over the infected system. By operating in memory and using trusted binaries, the campaign significantly reduces its detection surface while maintaining flexibility for further payload delivery or post-exploitation activities.
This campaign underscores the increasing sophistication of modern malware operations, where attackers prioritize stealth, persistence, and adaptability. By combining fileless execution techniques with the abuse of legitimate tools like ScreenConnect, threat actors can effectively bypass traditional security defenses and maintain long-term access to compromised systems. The reliance on in-memory loaders and scripting-based delivery mechanisms highlights the limitations of signature-based detection and emphasizes the need for behavior-based monitoring and advanced threat detection capabilities. Organizations must adopt a multi-layered security approach, including endpoint detection and response (EDR), strict application control policies, and user awareness training to mitigate such threats. Monitoring the use of administrative tools and unusual PowerShell activity is critical in identifying potential compromises early in the attack lifecycle. Furthermore, restricting the execution of unauthorized scripts and enforcing least privilege access can significantly reduce the risk of exploitation.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1189 | Drive-by Compromise | — |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.005 | Command and Scripting Interpreter | Visual Basic | |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| Persistence | T1547 | Boot or Logon Autostart Execution | — |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism | Bypass User Account Control |
| Defense Evasion | T1027 | Obfuscated Files and Information | — |
| T1055 | Process Injection | — | |
| T1036 | Masquerading | — | |
| T1622 | Debugger Evasion | — | |
| Credential Access | T1555 | Credentials from Password Stores | — |
| Discovery | T1082 | System Information Discovery | — |
| T1016 | System Network Configuration Discovery | — | |
| Lateral Movement | T1021 | Remote Services | — |
| Command and Control | T1219 | Remote Access Software | — |
| T1071 | Application Layer Protocol | — |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Execution | E1204 | User Execution |
| Defense Evasion | B0027 | Alternative Installation Location |
| E1027 | Obfuscated Files or Information |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/fake-adobe-reader-download-delivers-screenconnect/
https://www.zscaler.com/blogs/security-research/memory-loader-drops-screenconnect
[/emaillocker]