EXECUTIVE SUMMARY
Threat actors are conducting a massive global campaign by abusing legitimate remote management software to distribute the AsyncRAT remote access Trojan. By targeting users searching for popular utilities like screen recorders and network tools, the attackers cast a wide net across multiple sectors and regions, including English, Russian, and Chinese-speaking demographics. The primary objective involves establishing persistent remote access to compromised systems, enabling data theft and lateral movement within corporate networks. This operation highlights a shift toward abusing trusted tools rather than creating custom exploits.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Threat actors are conducting a massive global campaign by abusing legitimate remote management software to distribute the AsyncRAT remote access Trojan. By targeting users searching for popular utilities like screen recorders and network tools, the attackers cast a wide net across multiple sectors and regions, including English, Russian, and Chinese-speaking demographics. The primary objective involves establishing persistent remote access to compromised systems, enabling data theft and lateral movement within corporate networks. This operation highlights a shift toward abusing trusted tools rather than creating custom exploits.[emaillocker id="1283"]
The attack begins when users download malicious software archives from spoofed websites that appear prominently in search results. These archives use a legitimate signed installer alongside a malicious library to deploy a hidden ScreenConnect remote access service through DLL sideloading. Once installed, the service executes scripts that disable security controls and drop the AsyncRAT payload via process hollowing. The malware then establishes persistence by creating a scheduled task that runs every few minutes, ensuring the attacker retains continuous control over the infected endpoint.
This campaign poses a significant risk because it bypasses traditional security checks by using signed binaries and trusted remote administration tools, making detection extremely difficult. Organizations should prioritize restricting the use of remote management software and monitoring for suspicious script activity initiated by these applications. Defences must include robust application control policies to prevent DLL sideloading and regular backups to mitigate data loss. User education regarding software sourcing remains critical, as search engine poisoning effectively bypasses technical filters by targeting human behavior.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1543.003 | Create or Modify System Process | Windows Service |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Privilege Escalation | T1055.012 | Process Injection | Process Hollowing |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Defense Evasion | T1112 | Modify Registry | – |
| Defense Evasion | T1027.005 | Obfuscated Files or Information | Indicator Removal from Tools |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The reports contain further technical details:
https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472/