Kaspersky MDR uncovered a large campaign where ScreenConnect was abused to deliver AsyncRAT through spoofed freeware websites, DLL sideloading, and multi-stage scripts. The infrastructure spanned more than 90 localized domains and multiple C2 servers, with victims lured by fake installers for OBS Studio, DS4Windows, DNS Jumper, Bandicam, and Process Hacker. #ScreenConnect #AsyncRAT #OBSStudio #DS4Windows #DNSJumper #Bandicam #ProcessHacker
Keypoints
- Kaspersky MDR found ScreenConnect being used to deploy and execute an AsyncRAT payload.
- The infection chain began with spoofed software sites hosting malicious installer archives that mimicked popular freeware.
- The archives used DLL sideloading with a legitimate signed install.exe and a rogue install.res.1033.dll to install ScreenConnect.
- PowerShell, VBS, and scheduled tasks were used to disable defenses, decrypt payloads, and maintain persistence.
- The campaign used more than 90 domains localized in multiple languages, showing a broad global distribution effort.
- Attackers leveraged SEO so fraudulent download pages appeared high in search results for targeted software.
- The likely goal was credential theft and unauthorized access for later resale or follow-on attacks.
MITRE Techniques
- [T1055.012 ] Process Hollowing â The payload spawns RegAsm.exe suspended and replaces its original code with the injected .NET module, allowing AsyncRAT to run inside a trusted process. [âspawn a new RegAsm.exe process with the CREATE_SUSPENDED flag⌠the RegAsm.exe process no longer executes its original codeâ]
- [T1218.009 ] Signed Binary Proxy Execution: Regsvcs/Regasm â The malware abuses RegAsm.exe as the host process for malicious execution and code injection. [âRegAsm.exe process⌠serving as a container for the injected .NET moduleâ]
- [T1027 ] Obfuscated Files or Information â The loader decrypts payload bytes using XOR, bit inversion, and reflective loading before execution. [âuses a 0xA7 XOR key to decrypt each byte and inverts the bit orderâ]
- [T1059.001 ] Command and Scripting Interpreter: PowerShell â PowerShell scripts are created and executed to configure exclusions and launch later stages. [âcreated and executed a PowerShell scriptâ]
- [T1059.005 ] Command and Scripting Interpreter: Visual Basic â VBScript is used to create files and trigger the next script in the chain. [âThe installer_method3_stream.vbs script creates five files⌠and immediately triggers their executionâ]
- [T1112 ] Modify Registry â The script disables UAC prompts by changing a registry value. [âdisables User Account Control (UAC) prompts by setting the ConsentPromptBehaviorAdmin registry parameter to 0â]
- [T1562.001 ] Impair Defenses: Disable or Modify Tools â Microsoft Defender exclusions are added to weaken host protection. [âconfigures Microsoft Defender exclusionsâ]
- [T1053.005 ] Scheduled Task/Job: Scheduled Task â Persistence is achieved by creating a task that runs every two minutes. [âschtasksâ /Create /TN âMasterPackager.Updaterâ⌠/SC MINUTE /MO 2 /Fâ]
- [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder â The article describes persistence through a task that survives reboot and keeps the loader chain running. [âensuring that script.vbs â and consequently the entire loader chain â executes even after a system rebootâ]
- [T1105 ] Ingress Tool Transfer â Malicious archives and payload components are downloaded from spoofed websites to the victim device. [âClicking the download button⌠triggers a request⌠from which the archive is fetchedâ]
- [T1195.002 ] Compromise Software Supply Chain: Compromise Software Dependency and Development Tools â Legitimate software installers are packaged with malicious components to deliver ScreenConnect. [âbundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll libraryâ]
- [T1574.002 ] Hijack Execution Flow: DLL Side-Loading â The legitimate installer loads the malicious DLL to execute the attackerâs code. [âWhen OBS-Studio-Installer.exe is executed, it loads install.res.1033.dll via DLL sideloadingâ]
- [T1218.011 ] System Binary Proxy Execution: Rundll32 â The detection logic notes rundll32.exe as a suspicious child process from ScreenConnect, indicating abuse of trusted binaries. [âAnomalous child processes being spawned by the ScreenConnect serviceâ]
Indicators of Compromise
- [File hash ] Malicious loader and related sample hashes â B32810973132D11AFD61CCEE222BBB795B7E1FE55BD7B5EA54BD4ED1677E5A269A9CCD8B0E5D05F4EE77667B024844DB0EEE9BAD07E22415439E854657FA13668F4E8B680D3E8D3F5AC39BD72882F713, 5F96C04E3AFAE97017B201BE112284D273BEAD922109A61E5F9F85771A7812C5EDFF4F58722C93D7C09ED7189941639683601C3D4ED28E8D2BE1B99BEB8EC18C695E794631EF130583368770E7B81E9883601C3D4ED28E8D2BE1B99BEB8EC18C1E6A5C7B620D487D0CFC6874C3B77C9054025CE2A9405039899FE99A1D77E0BBBD05FCF80E493CF9AA71EC510319469D999A63730C9634481D1D76955A2E76A8479BD3BB617B39CD4A46D0768A2592D4776DFD3DF9C04BB9FCDD6C1880C3761A8E4C57358A66EB14D31ABB614DDC68DEA40D3AEB0DAE5B00BDB3A517F3135BBBA85A5BFDCB7C65AB93043B8CF9E2006501325880EFFFEC546F59490089A3B415
- [File name ] Suspicious installer and loader filenames â install.res.1033.dll, Fj5NmEsp9EuKrun.ps1, installer_method3_stream.vbs, script.vbs, cap.ps1
- [Domain ] Payload delivery, C2, and fake software sites â mora1987[.]work[.]gd, servermanagemen[.]xyz, studioobs[.]com, direct-download.giize[.]com, fileget.loseyourip[.]com
- [IP address ] Hosting infrastructure for campaign domains â 162.216.241[.]242, 198.23.185[.]81, 2.59.134[.]97, 185.254.97[.]249, 45.145.41[.]205
- [URL path ] Malicious download endpoints used to fetch archives â hxxps://www.studioobs[.]com/, hxxps://fileget.loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaM, hxxps://direct-download.giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7j
- [Service name ] Persistence and remote access service identifiers â Microsoft Update Service, MasterPackager.Updater, ScreenConnect ClientService.exe
- [Executable ] Living-off-the-land and malicious execution binaries â install.exe, msiexec.exe, RegAsm.exe, powershell.exe, wscript.exe, schtasks.exe
Read more: https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472/