Full Report
Kaspersky experts have uncovered a malicious network infrastructure for delivering AsyncRAT. The Trojan is dropped via compromised ScreenConnect software. In this post, we break down the infection chain and analyze the C2 infrastructure.
Analysis Summary
# Tool/Technique: AsyncRAT via ScreenConnect
## Overview
This campaign involves the distribution of the **AsyncRAT** Trojan through a sophisticated infection chain that repurposes compromised or malicious instances of **ScreenConnect** (ConnectWise Control) remote desktop software. Threat actors are masking these installers as legitimate freeware or business utilities to gain initial access to corporate networks, subsequently deploying AsyncRAT for long-term persistence and data exfiltration.
## Technical Details
- **Type:** Malware family (RAT) and Exploitation of Remote Monitoring and Management (RMM) tools.
- **Platform:** Windows
- **Capabilities:** Remote access, keylogging, screen capture, file management, and additional payload delivery.
- **First Seen:** Campaign activity identified in late 2023/early 2024 (AsyncRAT itself dates back to 2019).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing] (Luring users to download "freeware")
- [T1133 - External Remote Services] (Use of ScreenConnect)
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File]
- [T1059.005 - Command and Scripting Interpreter: Visual Basic]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0005 - Defense Evasion]**
- [T1218.010 - System Binary Proxy Execution: Regsvr32]
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
- [T1573.002 - Encrypted Channel: Asymmetric Cryptography]
## Functionality
### Core Capabilities
- **Remote Administration:** Full control over the infected system's GUI and file system.
- **Data Exfiltration:** Ability to upload files from the victim's machine to the C2.
- **Persistence:** Establishes itself via Scheduled Tasks or Registry Run keys to survive reboots.
- **Surveillance:** Keylogging and periodic desktop screenshots.
### Advanced Features
- **Anti-Analysis:** Checks for the presence of virtual machines, debuggers, and specific antivirus processes before full execution.
- **Plugin System:** Modular architecture allowing the attacker to load additional .NET DLLs into memory to expand functionality without writing new files to disk.
- **RMM Leveraging:** By using legitimate ScreenConnect binaries, the attackers bypass many perimeter security filters that trust signed RMM software.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `7d9f7832822a12443491fba36976694680879684347710c66657999806f0e4b2` (AsyncRAT Loader)
- `38ba66289b7083072fec01a87e596706e2553b655519ec3081e7d23d83968361` (Malicious ScreenConnect Installer)
- **File Names:**
- `ScreenConnect.Client.exe`
- `Update.vbs`
- `Client.exe`
- **Network Indicators:**
- `185[.]244[.]213[.]114`
- `dns[.]mshome[.]net`
- `async[.]files-storage[.]com`
- **Behavioral Indicators:**
- Unusual outbound traffic on ports `6606`, `7707`, or `8808`.
- ScreenConnect sessions originating from unknown or unauthorized external IP addresses.
- Unexpected execution of `csc.exe` (C# Compiler) to compile tasks in memory.
## Associated Threat Actors
- While AsyncRAT is a commodity tool used by many groups, recent campaigns utilizing ScreenConnect lures have been linked to various **Initial Access Brokers (IABs)** and cybercriminal groups focusing on ransomware delivery.
## Detection Methods
- **Signature-based:** Deploying YARA rules targeting the AsyncRAT configuration block in memory.
- **Behavioral:** Monitoring for `regsvr32.exe` or `powershell.exe` spawning from RMM software processes.
- **Process Monitoring:** Detecting the "injection" of code into legitimate Windows processes like `aspnet_compiler.exe`.
## Mitigation Strategies
- **Software Restriction:** Implement application whitelisting to prevent unauthorized RMM tools (like unmanaged ScreenConnect instances) from running.
- **Network Segmentation:** Restrict RMM tool communication to known, authorized administrative IP ranges.
- **User Education:** Train staff to identify social engineering tactics involving "free utility" downloads.
- **Hardening:** Disable or restrict Windows Script Host (`wscript.exe` / `cscript.exe`) if not required for business operations.
## Related Tools/Techniques
- **AnyDesk/TeamViewer Spying:** Similar techniques of repurposing legitimate remote tools.
- **QuasarRAT / NjRAT:** Similar commodity .NET-based remote access Trojans.
- **Living-off-the-Land (LotL):** Using signed binaries to carry out malicious activities.