Site used to deliver ScreenConnect | Image: Kaspersky Labs
At a Glance
- Malware Family: AsyncRAT
- Threat Actor: Unknown cybercriminals
- Target or Victims: Individual consumers and corporate networks
- Delivery Vector: SEO poisoning and fake freeware portals
- Key Capabilities: Remote access, process hollowing, and credential theft
- Source: Kaspersky Labs
TL;DR
Cybercriminals launched a massive ScreenConnect AsyncRAT campaign. The attackers hide remote administration tools inside fake software installers. As a result, they gain unauthorized access to both personal and corporate devices to steal sensitive data.
Delivery
Attackers rely on search engine optimization to distribute their malware. First, they register typosquatted domains that look exactly like official product pages. Users search for popular utilities like OBS Studio, DNS Jumper, DS4Windows, or Bandicam. Consequently, the fake websites appear at the top of search results.
When victims click the download link, they receive a malicious ZIP archive. The Kaspersky Managed Detection and Response team found over 90 domain names localized across 10 languages. This wide localization shows the global scale of the threat. The archive contains a legitimate, Microsoft-signed executable file. However, it also includes a rogue dynamic link library file. This setup tricks users into believing they downloaded safe software. The ZIP file even includes a copy of the real application to maintain the illusion.
Infection Chain
The infection begins when the user runs the downloaded executable. The program loads the malicious library via a technique called DLL sideloading. This action silently installs the ScreenConnect service in the background. Meanwhile, the requested software installs normally to avoid suspicion. “To access compromised systems, threat actors frequently abuse legitimate remote monitoring tools,” the report states.
Once active, the ScreenConnect service spawns a PowerShell script. This script configures Microsoft Defender exclusions for all system drives. It also disables User Account Control prompts. Next, a VBScript file creates multiple hidden files in the public user directory. These files include a secondary PowerShell script and encrypted text files. The script terminates all active PowerShell processes to cover its tracks. Then, it reads the encrypted text file and extracts hexadecimal sequences. The script uses an XOR key to decrypt the payload byte by byte.
The final step involves a technique known as process hollowing. The script spawns a suspended system process and injects the AsyncRAT payload into its memory. Therefore, the malware runs silently without raising any alarms.
Command-and-Control and Data-Exfiltration Behaviour
The malware establishes persistence by creating a scheduled task on the infected machine. This task triggers every two minutes. It ensures the loader chain survives system reboots. Following successful execution, the injected process connects to the attackers’ command-and-control server.
The threat actors mapped their network across three main IP addresses. They use these servers to send further instructions to the infected machines. “This allowed the attackers to maintain control over compromised endpoints, with victims ranging from individual users to organizations,” Kaspersky noted. Attackers use this remote access to steal credentials en masse. They likely sell this stolen data on dark web marketplaces.
Security researchers found dozens of different archives distributed across this network. The attackers skipped game-themed lures recently to focus entirely on freeware sites.
Defense or Detection Guidance
Organizations must enforce strict software installation controls immediately. IT departments should implement application allowlisting to block unauthorized programs. Security teams must block MSI package execution from untrusted sources. Additionally, administrators need to continuously monitor the creation of new remote administration services.
Security personnel should watch for unexpected scheduled tasks on employee machines. Companies must filter all outbound network traffic to unknown domains and IP addresses. Finally, companies must regularly train users on safe downloading practices. Employees should always verify the authenticity of all software sources before installation. Credential monitoring provides a critical layer of defense against these specific threats.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.