This intelligence report details a sophisticated attack campaign leveraging trojanized ConnectWise ScreenConnect installers to deliver AsyncRAT payloads. Attackers use open directories as staging points, blending legitimate remote management software abuse with custom loaders and scripts. The campaign employs modular payload staging, native injection techniques, and extensive port/TLS manipulation to maintain resilient command and control infrastructure. Multiple hosts were identified serving similar malware packages, with evidence of payload repackaging and infrastructure rotation to evade detection. The attackers utilize dual execution pathways, aggressive persistence mechanisms, and multi-stage redirect chains to ensure successful compromise across diverse environments. Author: AlienVault
Related Tags:
payload staging
PowerShell RAT
c2 infrastructure
open directories
T1059.005
T1059.007
T1573.002
T1573.001
T1053.005
Associated Indicators:
EC7514D1BE0BA0B2A9059759D2885F81F1E887E1559A1630F6C380E11F7BF7D3
E4AFC06B31849F0A9C463E2599906A93914727A1F5B08D0EBFE1990965EBC41F
FF529B5E54B079FF9A449E933B6042C2403F15D0DE9EE9DBFB0C51E56BF13FAD
54B762E05AF1A1138786A78E9936D63F4E419BBEB0D116C2CEE7376566420382
B97D0A646C8AECE8F5C4CEDB26DA808EC5104038C7871AD0481F75DF7A75C59D
521769C955761F7FC625EAE2006F4DABCF36CE3169309E0AD111E7B7B29748AF
9CD11A25896A9E7A54AEAF0CC249A8EBCAADA74168D2BDD2D51D8313A7293DCE
C7936CC04631BC9D4ED7A9BE3A5638193FAC57CB3CCFA7CE037AA2B0FE24CAD7
701E702F91942ACEF4D6AFDDA2ABF70ED8618CDE2F2EF3B174B092373C63C033