AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories

Pulse ID: 68d2269364d1c2bbb062139d
Pulse Link: https://otx.alienvault.com/pulse/68d2269364d1c2bbb062139d
Pulse Author: Tr1sa111
Created: 2025-09-23 04:48:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AsyncRAT #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #ScreenConnect #bot #Tr1sa111

🦠 Malware Analysis
===================

🎯 Threat Intelligence

Executive summary: Recent investigations reveal a repeatable campaign where attackers abuse ConnectWise ScreenConnect installers hosted in open directories to distribute AsyncRAT and a custom PowerShell RAT.
The campaign combines trusted RMM footprints, ClickOnce pivots and payload containers that evade signature-based detection.

Technical details:
• Observed payloads include AsyncRAT and a bespoke PowerShell RAT delivered alongside trojanized ScreenConnect installers.
• Infrastructure enumeration identified multiple hosts (examples:
176.65.139.119, 45.74.16.71, 164.68.120.30) and repeated file names such as logs.ldk, logs.idk, logs.idr ranging from ~60 KB to 3 MB.
• Execution techniques show two distinct code paths: in-memory .NET Assembly.Load for AV‑guarded environments and native injection via libPK.dll::Execute otherwise.
• Persistence mechanisms include scheduled tasks named SystemInstallTask and 3losh with aggressive intervals (every 2–10 minutes).
• Network/C2 tradecraft spans common ports (21/80/111/443) and high ephemeral ranges (30,000–60,000), often wrapped in TLS.

🔹 Attack Chain Analysis
• Initial Access / Phishing: ClickOnce pivots (e.g., police.html → galusa.ac.mz → dual.saltuta.com) delivering a launcher from /Bin/ paths.
• Download: Trojanized ScreenConnect installer retrieved from open directory hosting.
• Execution: Dual paths — Assembly.Load into memory or libPK.dll native injection.
• Persistence: Creation of scheduled tasks with short recurrence.
• C2 / Telemetry: AsyncRAT beaconing over standard and ephemeral ports with TLS.

Impact & analysis: Abusing legitimate RMM installers introduces supply‑chain‑like risk; trusted installer footprints lower detection fidelity and enable long dwell times. Fresh or repackaged containers missing from VirusTotal indicate active re‑use and rapid churn.

Detection guidance:
• Monitor for creation of scheduled tasks named SystemInstallTask/3losh and unusual recurrence intervals.
• Alert on processes performing .NET Assembly.Load from nonstandard locations and on native DLLs named libPK.dll performing injection-like behaviors.
• Hunt for open directory listings exposing logs.ldk|logs.idk|logs.idr and ClickOnce /Bin/ URL patterns.

Mitigations:
• Harden RMM deployment processes, restrict installer hosting and validate installer hashes.
• Block or monitor suspicious open directory access and implement strict egress controls for ephemeral port ranges.
• Enforce application allowlisting and endpoint behavioral detections for in-memory assembly loads and DLL injection.

🔹 AsyncRAT #ScreenConnect #ClickOnce #RMM #C2

🔗 Source: https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns

AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories

This intelligence report details a sophisticated attack campaign leveraging trojanized ConnectWise ScreenConnect installers to deliver AsyncRAT payloads. Attackers use open directories as staging points, blending legitimate remote management software abuse with custom loaders and scripts. The campaign employs modular payload staging, native injection techniques, and extensive port/TLS manipulation to maintain resilient command and control infrastructure. Multiple hosts were identified serving similar malware packages, with evidence of payload repackaging and infrastructure rotation to evade detection. The attackers utilize dual execution pathways, aggressive persistence mechanisms, and multi-stage redirect chains to ensure successful compromise across diverse environments.

Pulse ID: 68cd7f421874e12c34532ccf
Pulse Link: https://otx.alienvault.com/pulse/68cd7f421874e12c34532ccf
Pulse Author: AlienVault
Created: 2025-09-19 16:05:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AsyncRAT #ConnectWise #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #RAT #SMS #ScreenConnect #TLS #Trojan #bot #AlienVault

AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories

Pulse ID: 68cd62c43c6f18d2c3eea344
Pulse Link: https://otx.alienvault.com/pulse/68cd62c43c6f18d2c3eea344
Pulse Author: CyberHunter_NL
Created: 2025-09-19 14:03:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AsyncRAT #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #ScreenConnect #bot #CyberHunter_NL

New investigation reveals attackers used a fileless malware chain via a compromised #ScreenConnect client to deploy AsyncRAT, enabling credential theft, keylogging, and wallet scans.

Read: https://hackread.com/fileless-malware-attack-asyncrat-credential-theft/

#CyberSecurity #AsyncRAT #Malware #CyberAttack #InfoSec

Threat Actors Use Malicious ScreenConnect Installers for Initial Access

Pulse ID: 68be034c84e27cf8ae61797f
Pulse Link: https://otx.alienvault.com/pulse/68be034c84e27cf8ae61797f
Pulse Author: cryptocti
Created: 2025-09-07 22:12:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #ScreenConnect #bot #cryptocti

🚨 New Threat: AI-Crafted Phishing + ScreenConnect

Threat actors are leveraging compromised email accounts & AI-written lures to deploy ScreenConnect for remote access. More than 900 enterprises have been hit already.
This blends CaaS toolkits, AI social engineering, and trusted platforms like Zoom/Teams into near-undetectable phishing.

👉 Security pros: what’s the best defense here? AI-assisted detection? Supply chain-focused Zero Trust? Or advanced email anomaly monitoring?
Follow Technadu for continuous research-backed threat analysis.

#AIPhishing #ScreenConnect #CyberAttack #ThreatActors