LevelBlue researchers warn about a campaign exploiting ConnectWise ScreenConnect to deploy AsyncRAT using in-memory fileless techniques. The attack involves a fake Skype updater, malicious payloads, and persistence mechanisms, posing significant detection challenges. #AsyncRAT #ConnectWiseScreenConnect
Keypoints
- Attackers use compromised ScreenConnect clients to initiate malicious sessions.
- Malware employs VBScript and PowerShell loadings to execute in-memory without disk traces.
- In-memory payloads include obfuscator.dll and AsyncClient.exe to establish persistence and C2 communication.
- The malware achieves stealth by disabling defenses like AMSI and ETW and disguising as a Skype updater.
- Fileless techniques make detection, analysis, and removal significantly more difficult for defenders.