The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign

The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign
Kaspersky MDR uncovered a large campaign where ScreenConnect was abused to deliver AsyncRAT through spoofed freeware websites, DLL sideloading, and multi-stage scripts. The infrastructure spanned more than 90 localized domains and multiple C2 servers, with victims lured by fake installers for OBS Studio, DS4Windows, DNS Jumper, Bandicam, and Process Hacker. #ScreenConnect #AsyncRAT #OBSStudio #DS4Windows #DNSJumper #Bandicam #ProcessHacker

Keypoints

  • Kaspersky MDR found ScreenConnect being used to deploy and execute an AsyncRAT payload.
  • The infection chain began with spoofed software sites hosting malicious installer archives that mimicked popular freeware.
  • The archives used DLL sideloading with a legitimate signed install.exe and a rogue install.res.1033.dll to install ScreenConnect.
  • PowerShell, VBS, and scheduled tasks were used to disable defenses, decrypt payloads, and maintain persistence.
  • The campaign used more than 90 domains localized in multiple languages, showing a broad global distribution effort.
  • Attackers leveraged SEO so fraudulent download pages appeared high in search results for targeted software.
  • The likely goal was credential theft and unauthorized access for later resale or follow-on attacks.

MITRE Techniques

  • [T1055.012 ] Process Hollowing – The payload spawns RegAsm.exe suspended and replaces its original code with the injected .NET module, allowing AsyncRAT to run inside a trusted process. [‘spawn a new RegAsm.exe process with the CREATE_SUSPENDED flag… the RegAsm.exe process no longer executes its original code’]
  • [T1218.009 ] Signed Binary Proxy Execution: Regsvcs/Regasm – The malware abuses RegAsm.exe as the host process for malicious execution and code injection. [‘RegAsm.exe process… serving as a container for the injected .NET module’]
  • [T1027 ] Obfuscated Files or Information – The loader decrypts payload bytes using XOR, bit inversion, and reflective loading before execution. [‘uses a 0xA7 XOR key to decrypt each byte and inverts the bit order’]
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell scripts are created and executed to configure exclusions and launch later stages. [‘created and executed a PowerShell script’]
  • [T1059.005 ] Command and Scripting Interpreter: Visual Basic – VBScript is used to create files and trigger the next script in the chain. [‘The installer_method3_stream.vbs script creates five files… and immediately triggers their execution’]
  • [T1112 ] Modify Registry – The script disables UAC prompts by changing a registry value. [‘disables User Account Control (UAC) prompts by setting the ConsentPromptBehaviorAdmin registry parameter to 0’]
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – Microsoft Defender exclusions are added to weaken host protection. [‘configures Microsoft Defender exclusions’]
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence is achieved by creating a task that runs every two minutes. [‘schtasks” /Create /TN “MasterPackager.Updater”… /SC MINUTE /MO 2 /F’]
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – The article describes persistence through a task that survives reboot and keeps the loader chain running. [‘ensuring that script.vbs — and consequently the entire loader chain — executes even after a system reboot’]
  • [T1105 ] Ingress Tool Transfer – Malicious archives and payload components are downloaded from spoofed websites to the victim device. [‘Clicking the download button… triggers a request… from which the archive is fetched’]
  • [T1195.002 ] Compromise Software Supply Chain: Compromise Software Dependency and Development Tools – Legitimate software installers are packaged with malicious components to deliver ScreenConnect. [‘bundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll library’]
  • [T1574.002 ] Hijack Execution Flow: DLL Side-Loading – The legitimate installer loads the malicious DLL to execute the attacker’s code. [‘When OBS-Studio-Installer.exe is executed, it loads install.res.1033.dll via DLL sideloading’]
  • [T1218.011 ] System Binary Proxy Execution: Rundll32 – The detection logic notes rundll32.exe as a suspicious child process from ScreenConnect, indicating abuse of trusted binaries. [‘Anomalous child processes being spawned by the ScreenConnect service’]

Indicators of Compromise

  • [File hash ] Malicious loader and related sample hashes – B32810973132D11AFD61CCEE222BBB795B7E1FE55BD7B5EA54BD4ED1677E5A269A9CCD8B0E5D05F4EE77667B024844DB0EEE9BAD07E22415439E854657FA13668F4E8B680D3E8D3F5AC39BD72882F713, 5F96C04E3AFAE97017B201BE112284D273BEAD922109A61E5F9F85771A7812C5EDFF4F58722C93D7C09ED7189941639683601C3D4ED28E8D2BE1B99BEB8EC18C695E794631EF130583368770E7B81E9883601C3D4ED28E8D2BE1B99BEB8EC18C1E6A5C7B620D487D0CFC6874C3B77C9054025CE2A9405039899FE99A1D77E0BBBD05FCF80E493CF9AA71EC510319469D999A63730C9634481D1D76955A2E76A8479BD3BB617B39CD4A46D0768A2592D4776DFD3DF9C04BB9FCDD6C1880C3761A8E4C57358A66EB14D31ABB614DDC68DEA40D3AEB0DAE5B00BDB3A517F3135BBBA85A5BFDCB7C65AB93043B8CF9E2006501325880EFFFEC546F59490089A3B415
  • [File name ] Suspicious installer and loader filenames – install.res.1033.dll, Fj5NmEsp9EuKrun.ps1, installer_method3_stream.vbs, script.vbs, cap.ps1
  • [Domain ] Payload delivery, C2, and fake software sites – mora1987[.]work[.]gd, servermanagemen[.]xyz, studioobs[.]com, direct-download.giize[.]com, fileget.loseyourip[.]com
  • [IP address ] Hosting infrastructure for campaign domains – 162.216.241[.]242, 198.23.185[.]81, 2.59.134[.]97, 185.254.97[.]249, 45.145.41[.]205
  • [URL path ] Malicious download endpoints used to fetch archives – hxxps://www.studioobs[.]com/, hxxps://fileget.loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaM, hxxps://direct-download.giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7j
  • [Service name ] Persistence and remote access service identifiers – Microsoft Update Service, MasterPackager.Updater, ScreenConnect ClientService.exe
  • [Executable ] Living-off-the-land and malicious execution binaries – install.exe, msiexec.exe, RegAsm.exe, powershell.exe, wscript.exe, schtasks.exe


Read more: https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472/