A sophisticated fileless malware campaign has been discovered leveraging AsyncRAT, a powerful Remote Access Trojan, through a multi-stage in-memory loader that successfully evades traditional disk-based security defenses.
LevelBlue researchers have detailed the attack methodology, revealing how threat actors exploit legitimate system tools to maintain persistence while operating entirely in memory.
The attack chain begins with a compromised ScreenConnect client, a legitimate remote access tool that serves as the initial infection vector.
Attackers establish an interactive session through the malicious domain relay.shipperzone[.]online, which has been linked to unauthorized ScreenConnect deployments.
From this foothold, a VBScript file named Update.vbs executes via WScript, triggering PowerShell commands designed to fetch two external payloads from a remote server.
Multi-Stage Fileless Execution
The downloaded payloads, identified as logs.ldk and logs.ldr, are strategically placed in the C:\Users\Public\ directory before being loaded directly into memory using reflection techniques.
The first-stage payload is converted to a byte array, while the second payload is passed directly to the Main() method of a dynamically loaded .NET assembly. This approach exemplifies actual fileless malware behavior, as no executable files are written to disk during the infection process.
Analysis of the .NET assembly reveals a sophisticated two-stage architecture. The first component, Obfuscator.dll, functions as a payload launcher containing three core classes that handle runtime initialization, persistence establishment, and anti-analysis techniques.
The malware creates persistence through a scheduled task disguised as “Skype Updater” while implementing defensive evasion methods including PatchAMSI() and PatchETW() functions that disable Windows security logging and script scanning capabilities.
The second stage, AsyncClient.exe, serves as the operational backbone implementing full command-and-control functionality.
This component utilizes AES-256 encryption to decrypt embedded Base64-encoded configuration settings, including C2 domains such as 3osch20[.]duckdns[.]org, infection flags, and target directories.
The RAT establishes TCP connections to command servers using a custom protocol with 4-byte length-prefixed packets parsed via MessagePack.
AsyncClient.exe conducts comprehensive system reconnaissance, gathering operating system details, privilege levels, antivirus status, active window titles, and browser extension information including cryptocurrency wallets like MetaMask and Phantom.
The malware implements keylogging functionality through hook callbacks, storing captured input in temporary files alongside contextual data to monitor user activity patterns.
This analysis demonstrates the evolving sophistication of modern RATs that combine legitimate tool abuse, memory-only execution, and advanced evasion techniques to maintain persistent access while avoiding detection by traditional security solutions.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
