- Phishing emails are spreading a trojanized version of ScreenConnect, tricking victims into installing remote access malware
- Once installed, attackers deploy AsyncRAT, a fileless trojan that logs keystrokes, steals credentials, and more
- AsyncRAT’s stealth and open-source nature make it a favorite among diverse threat actors
Criminals are using a trojanized version of a popular, legitimate remote access tool, to drop remote access trojans (RAT) on target devices, researchers are warning.
Earlier this week, security researchers from LevelBlue said they saw phishing emails in which a tainted variant of ConnectWise ScreenConnect was being shared, masquerading as financial and other business documents.
ConnectWise ScreenConnect is a remote access and remote support software, letting IT teams, help desks, and managed service providers (MSPs) do things like remote support, remote meetings, or unattended access.
Fileless malware
It also operates cross-platform, supporting desktop, mobile, and browser-based connections. However, it is one of the more abused programs, often seen in impersonation and identity theft attacks.
Victims who fall for the phishing email and install ScreenConnect end up granting criminals unabated access to their devices, which they later use to stealthily deploy fileless malware called AsyncRAT.
This remote access trojan, besides the obvious, also allows threat actors to log keystrokes, steal browser credentials, fingerprint the system, and look for cryptocurrency wallets and other wallet data – especially browser extensions.
“Fileless malware continues to pose a significant challenge to modern cybersecurity defenses due to its stealthy nature and reliance on legitimate system tools for execution,” LevelBlue said. “Unlike traditional malware that writes payloads to disk, fileless threats operate in memory, making them harder to detect, analyze, and eradicate.”
AsyncRAT is an open-source trojan first released in January 2019. Its accessibility has made it popular among a wide range of threat actors, from novice cybercriminals to more organized groups.
It is usually distributed through phishing emails or malicious attachments and has appeared in multi-stage infection chains, including campaigns targeting healthcare organizations.
While the malware itself is not tied to a specific group, various cybercriminals and emerging threat actors have widely adopted it for remote exploitation.
Via The Hacker News