AsyncRAT Takes Advantage of ConnectWise ScreenConnect to Capture Credentials and Cryptocurrency

Cybersecurity researchers have revealed a new campaign that exploits ConnectWise ScreenConnect, a legitimate Remote Monitoring and Management (RMM) software, to deploy a fileless loader that delivers a Remote Access Trojan (RAT) known as AsyncRAT. According to a report from LevelBlue shared with The Hacker News, attackers utilise ScreenConnect to gain remote access and execute a layered Visual Basic Script and PowerShell loader that retrieves obfuscated components from external URLs. These components include encoded .NET assemblies that ultimately unpack into AsyncRAT, maintaining persistence through a deceptive scheduled task labelled as ‘Skype Updater’. The infection chain involves threat actors leveraging a ScreenConnect deployment to initiate a remote session and launch a Visual Basic Script payload, often disguised as financial or business documents sent via phishing emails.

The malicious script is designed to fetch two external payloads, “logs.ldk” and “logs.ldr,” from an attacker-controlled server using PowerShell. The “logs.ldk” file, a DLL, writes a secondary Visual Basic Script to disk, establishing persistence through a scheduled task that masquerades as ‘Skype Updater’ to avoid detection. This Visual Basic Script replicates the initial PowerShell logic, ensuring automatic execution after each login. The PowerShell script loads “logs.ldk” as a .NET assembly and passes “logs.ldr” as input, leading to the execution of AsyncRAT, which can log keystrokes, steal browser credentials, and scan for cryptocurrency wallet applications. All collected data is exfiltrated to a command-and-control server, complicating detection and eradication efforts due to the fileless nature of the malware, which operates in memory rather than writing payloads to disk.