Skip to content

Threat actors exploit ScreenConnect for AsyncRAT deployment

  • by
  • 3 min read

Cybercriminals exploit ScreenConnect remote access tools to gain unauthorised entry to users’ systems. They achieve this by deceiving users into downloading ScreenConnect from fraudulent websites. As a result, the attackers can deploy the malicious AsyncRAT trojan, leading to significant risks for the compromised systems.

This technique is a drive-by attack and often involves SEO poisoning, malvertising, and introducing malicious codes into compromised websites. These malicious websites are then published across various forms, channels, and groups across social media to lure unsuspecting users into downloading harmful software.

The campaign began when users visited deceptive websites, which automatically redirected them to download the ScreenConnect application. Once ScreenConnect was installed, the threat actors established remote sessions on the victims’ systems. This remote access facilitated the deployment of a malicious executable file, leading to the infection with AsycRAT.

Upon investigation, researchers found one notable case involving a user downloading ScreenConnect from a compromised WordPress site, aviranpreschool[.]com, redirected from lomklauekabjikaiwoge[.]com.

When launched, ScreenConnect connected to the threat actor’s instance at fa-histsedueg.screenconnect[.]com.

Using ScreenConnect, the threat actor deployed the executable file uy5a7ykit5s7xs7isi9i.exe (MD5: 6bdba391a77bb67cb5aaae203d061ea8). This file is an NSIS installer containing an NSI script, AutoIt components, and batch scripts. The NSI script executed a batch file named ‘Industries.cmd’, which performed several actions to piece together and execute the malicious payload.

The attack chain explained. | Source: Esentire

Here are some actions performed by the ‘Industries.cmd’ file:

  • Combine ‘Password’, ‘Ranging’ and ‘Real’ files into a single file named B.
  • Execute the malicious AutoIt script.
  • Introduce a five-second delay to allow all previous commands to execute.
  • Evade detection by security software, especially WebRoot Endpoint Protection service and Quick Heal AntiVirus.
  • Check for other antivirus processes such as avastui.exe (Avast), avgui.exe (AVG Antivirus), nswscsvc.exe (Norton Security) and sophoshealth.exe (Sophos endpoint).

As we can see, the threat actors incorporated sophisticated techniques to check for security solutions and avoid being detected. For instance, the script introduced delays if security software processes were running.

After checking for antiviruses, ‘Industries.cmd’ then executes Lay.pif to run the malicious AutoIt script. This script will decrypt and inject the AsyncRAT payload into legitimate processes like RegAsm.exe or AppLaunch.exe if bdagent.exe (Bitdefender Agent) is found to be running.

These incidents highlight the ongoing and adaptive nature of threats from malicious actors who misuse remote access software, including tools similar to ScreenConnect. These attackers often employ deceptive tactics, tricking users into installing seemingly legitimate programs from hijacked websites. This approach allows cybercriminals to gain illicit entry to systems and introduce malicious software, such as variants of AsyncRAT.

“The incidents underline the importance of caution when downloading software, especially from unverified or suspicious sources, to prevent malware infections,” concluded researchers.

Recently, three drive-by download campaigns were found to be distributing FakeBat malware.

In the News: ChatGPT macOS app stored chats in plaintext; patch issued

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>