Particle.news
Download on the App Store
5 ARTICLES
·
4d ago

LevelBlue Publishes IOCs on Fileless AsyncRAT Attack Exploiting ScreenConnect

The technical breakdown equips defenders to detect an in-memory, multi-stage chain that persists via a fake Skype Updater task.

Image
New Fileless Malware Attack Uses AsyncRAT for Credential Theft
Image
Image

Overview

  • Investigators traced initial access to a compromised ScreenConnect client routed through relay.shipperzone.online, where a VBScript named Update.vbs invoked PowerShell to stage the attack.
  • Two payloads, logs.ldk and logs.ldr, were fetched to C:\Users\Public and executed entirely in memory to avoid disk-based detection.
  • Stage one used a .NET launcher dubbed Obfuscator.dll that patched AMSI and ETW, resolved APIs dynamically, and created a scheduled task masquerading as Skype Updater for persistence.
  • Stage two, AsyncClient.exe, decrypted its configuration with AES-256 and connected over TCP to 3osch20.duckdns.org using a custom protocol for command-and-control.
  • LevelBlue released indicators of compromise and behavioral details to support hunting and response, with SentinelOne noted as having observed process execution tied to the chain.