This widely used Remote Monitoring tool is being used to deploy AsyncRAT to steal passwords

News
By published

A trojanized version of ScreenConnect is being shared via phishing

Trojan
(Image credit: wk1003mike / Shutterstock)
  • Phishing emails are spreading a trojanized version of ScreenConnect, tricking victims into installing remote access malware
  • Once installed, attackers deploy AsyncRAT, a fileless trojan that logs keystrokes, steals credentials, and more
  • AsyncRAT’s stealth and open-source nature make it a favorite among diverse threat actors

Criminals are using a trojanized version of a popular, legitimate remote access tool, to drop remote access trojans (RAT) on target devices, researchers are warning.

Earlier this week, security researchers from LevelBlue said they saw phishing emails in which a tainted variant of ConnectWise ScreenConnect was being shared, masquerading as financial and other business documents.

ConnectWise ScreenConnect is a remote access and remote support software, letting IT teams, help desks, and managed service providers (MSPs) do things like remote support, remote meetings, or unattended access.

Fileless malware

It also operates cross-platform, supporting desktop, mobile, and browser-based connections. However, it is one of the more abused programs, often seen in impersonation and identity theft attacks.

Victims who fall for the phishing email and install ScreenConnect end up granting criminals unabated access to their devices, which they later use to stealthily deploy fileless malware called AsyncRAT.

This remote access trojan, besides the obvious, also allows threat actors to log keystrokes, steal browser credentials, fingerprint the system, and look for cryptocurrency wallets and other wallet data - especially browser extensions.

"Fileless malware continues to pose a significant challenge to modern cybersecurity defenses due to its stealthy nature and reliance on legitimate system tools for execution," LevelBlue said. "Unlike traditional malware that writes payloads to disk, fileless threats operate in memory, making them harder to detect, analyze, and eradicate."

AsyncRAT is an open-source trojan first released in January 2019. Its accessibility has made it popular among a wide range of threat actors, from novice cybercriminals to more organized groups.

It is usually distributed through phishing emails or malicious attachments and has appeared in multi-stage infection chains, including campaigns targeting healthcare organizations.

While the malware itself is not tied to a specific group, various cybercriminals and emerging threat actors have widely adopted it for remote exploitation.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.