Threat Advisory

Massive Campaign Using ScreenConnect To Deploy AsyncRAT

Threat: Malware Campaign
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY

Threat actors are conducting a massive global campaign by abusing legitimate remote management software to distribute the AsyncRAT remote access Trojan. By targeting users searching for popular utilities like screen recorders and network tools, the attackers cast a wide net across multiple sectors and regions, including English, Russian, and Chinese-speaking demographics. The primary objective involves establishing persistent remote access to compromised systems, enabling data theft and lateral movement within corporate networks. This operation highlights a shift toward abusing trusted tools rather than creating custom exploits.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY

Threat actors are conducting a massive global campaign by abusing legitimate remote management software to distribute the AsyncRAT remote access Trojan. By targeting users searching for popular utilities like screen recorders and network tools, the attackers cast a wide net across multiple sectors and regions, including English, Russian, and Chinese-speaking demographics. The primary objective involves establishing persistent remote access to compromised systems, enabling data theft and lateral movement within corporate networks. This operation highlights a shift toward abusing trusted tools rather than creating custom exploits.[emaillocker id="1283"]

The attack begins when users download malicious software archives from spoofed websites that appear prominently in search results. These archives use a legitimate signed installer alongside a malicious library to deploy a hidden ScreenConnect remote access service through DLL sideloading. Once installed, the service executes scripts that disable security controls and drop the AsyncRAT payload via process hollowing. The malware then establishes persistence by creating a scheduled task that runs every few minutes, ensuring the attacker retains continuous control over the infected endpoint.

This campaign poses a significant risk because it bypasses traditional security checks by using signed binaries and trusted remote administration tools, making detection extremely difficult. Organizations should prioritize restricting the use of remote management software and monitoring for suspicious script activity initiated by these applications. Defences must include robust application control policies to prevent DLL sideloading and regular backups to mitigate data loss. User education regarding software sourcing remains critical, as search engine poisoning effectively bypasses technical filters by targeting human behavior.

THREAT PROFILE:

Tactic Technique ID Technique Sub-technique
Resource Development T1583.001 Acquire Infrastructure Domains
Execution T1059.001 Command and Scripting Interpreter PowerShell
Execution T1059.005 Command and Scripting Interpreter Visual Basic
Persistence T1543.003 Create or Modify System Process Windows Service
Persistence T1053.005 Scheduled Task/Job Scheduled Task
Privilege Escalation T1055.012 Process Injection Process Hollowing
Defense Evasion T1562.001 Impair Defenses Disable or Modify Tools
Defense Evasion T1112 Modify Registry
Defense Evasion T1027.005 Obfuscated Files or Information Indicator Removal from Tools
Command and Control T1071.001 Application Layer Protocol Web Protocols

REFERENCES:

The reports contain further technical details:
https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472/

[/emaillocker]
crossmenu