eSentire’s Threat Response Unit (TRU) details incidents from June 2024 where users were steered to download the ScreenConnect remote access client, enabling AsyncRAT infection. The piece outlines the infection chain, including NSIS-based packaging, AutoIt components, RC4 decryption, and defense-evasion techniques to persist remote access while evading security tools. Hashtags: #AsyncRAT #ScreenConnect #Kaseya #more_eggs #eSentire
Keypoints
- June 2024 TRU observations show users downloading ScreenConnect from deceptive sites, leading to remote access and AsyncRAT deployment.
- The infection begins with a drive-by download redirected from a compromised site (aviranpreschool[.]com) to ScreenConnect.
- ScreenConnect establishes a session with the attacker’s instance (fa-histsedueg.screenconnect[.]com) and drops an NSIS-based payload.
- The NSIS installer contains an embedded AutoIt component and a batch script (Industries.cmd) that rebuilds and executes the AsyncRAT payload (B and Lay.pif).
- Industries.cmd assembles a malicious binary and a renamed AutoIt executable, then runs the AutoIt script to decrypt AsyncRAT via RC4 and inject into RegAsm.exe or AppLaunch.exe.
- Defense evasion includes delaying actions and checking for security software (wrsa.exe, opssvc.exe, Avast, AVG, Norton, Sophos) to avoid detection.
- TRU Positive conclusions highlight the risk of software downloads from unverified sources and the value of monitoring remote-access tools for unauthorized use.
MITRE Techniques
- [T1189] Drive-by Compromise – The infection vector used a deceptive site that redirected users to download the ScreenConnect application automatically. (‘deceptive site that redirected them to download the ScreenConnect application automatically.’)
- [T1021] Remote Services – Attacker leveraged ScreenConnect to establish remote access and drop the AsyncRAT payload. (‘With the established session via ScreenConnect, the threat actor dropped an executable file that eventually led to the infection of AsyncRAT’)
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The NSIS installer runs a batch file (Industries.cmd) to orchestrate actions. (‘The NSI script is responsible for executing the batch file named “Industries.cmd”…’)
- [T1140] Deobfuscate/Decode Files or Information – The AsyncRAT payload is decrypted via RC4 by the malicious AutoIt script. (‘decrypting the embedded AsyncRAT payload via RC4’)
- [T1055] Process Injection – The AsyncRAT payload is injected into RegAsm.exe or AppLaunch.exe when certain conditions are met. (‘injecting it into either RegAsm.exe or AppLaunch.exe’)
- [T1562.001] Impair Defenses – Checks for security software and delays execution to evade detections. (‘If any of these processes are found, it executes a malicious AutoIt script…’)
Indicators of Compromise
- [Domain] aviranpreschool[.]com – redirected from lomklauekabjikaiwoge[.]com to deliver ScreenConnect
- [Domain] lomklauekabjikaiwoge[.]com – redirect domain leading to ScreenConnect download
- [Domain] fa-histsedueg.screenconnect[.]com – threat actor’s ScreenConnect session host
- [File name] uy5a7ykit5s7xs7isi9i.exe – NSIS payload containing AsyncRAT
- [File name] Industries.cmd – batch script that orchestrates payload deployment
- [File name] B – rebuilt binary containing the embedded AutoIt script (MD5: 4f3bb0cdfff1c15b75041d07c1b7aac9)
- [File name] Lay.pif – concatenated AutoIt executable (MD5: b06e67f9767e5023892d9698703ad098)
- [File name] 95885Lay.pif – renamed AutoIt executable used to execute the script (MD5: 4f3bb0cdfff1c15b75041d07c1b7aac9)
- [URL] https://github.com/esThreatIntelligence/iocs/blob/main/ScreenConnect/ScreenConnect_AsyncRAT_6-24-2024.txt – GitHub IOC reference