{"id":4815,"date":"2025-09-12T11:33:50","date_gmt":"2025-09-12T11:33:50","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4815"},"modified":"2025-09-12T11:33:50","modified_gmt":"2025-09-12T11:33:50","slug":"stealthy-asyncrat-flees-the-disk-for-a-fileless-infection","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4815","title":{"rendered":"Stealthy AsyncRAT flees the disk for a fileless infection"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security researchers have discovered an open-source remote access trojan, AsyncRAT, being delivered through a multi-stage, in-memory loader as adversaries move to fileless techniques.<\/p>\n

According to LevelBlue Labs\u2019 findings, attackers gained initial foothold through a compromised ScreenConnect client and ran PowerShell scripts to fetch two-staged payloads.<\/p>\n

\u201cThis technique exemplifies fileless malware<\/a>: no executable is written to disk, and all malicious logic is executed in-memory,\u201d Sean Shirley, a network security engineer at LevelBlue, explained in a blog post. \u201cThe approach bypasses traditional disk-based detection by operating in memory, making these threats harder to detect, analyze, and eradicate.\u201d<\/p>\n

The analysis revealed a minimalist fileless attack, utilizing trusted admin tooling, tiny bootstrap scripts, and .NET loaders, designed to evade signature-based detection<\/a> while delivering full remote control capability.<\/p>\n

<\/a>Legitimate tools abused for fileless staging<\/h2>\n

LevelBlue\u2019s timeline ties the initial compromise to a ConnectWise ScreenConnect deployment used as a relay\/C2 endpoint.<\/p>\n

\u201cThe threat actor initiated an interactive session through relay.shipperzone[.]online, a known malicious domain linked to unauthorized ScreenConnect deployments,\u201d Shirley noted<\/a>. \u201cFrom this session, a VBScript (Update.vbs) was executed using WScript, triggering a PowerShell command designed to fetch two external payloads.\u201d<\/p>\n

Rather than dropping heavy binaries, the operators used small, seemingly harmless code \u2014 a VBScript for PowerShell commands \u2014 to fetch and assemble two staged .NET payloads in memory. The first-stage assembly acts as an obfuscator\/loader, converting downloaded content into byte arrays and using reflection to invoke a secondary assembly\u2019s Main() directly.<\/p>\n

This keeps the filesystem clean and leaves antivirus scanners looking for the wrong signals.<\/p>\n

<\/a>RAT with evasion and persistence<\/h2>\n

Once AsyncRAT was loaded, the attackers took steps to disrupt Windows defenses. The report notes techniques such as disabling Anti-malware Scan Interface (AMSI) and tampering with Event Tracking for Windows (ETW), both critical features for runtime detection. To maintain persistence, they created a scheduled task disguised as \u201cSkype Update,\u201d ensuring the RAT would restart after reboots.<\/p>\n

LevelBlue\u2019s analysis also uncovered AsyncRAT\u2019s encrypted configuration file, secured with AES-256, which contained instructions to connect back to a DuckDNS-based command and control (C2) server. The C2 communication used custom packet formats over TCP, a method typically used for flexibility and evasion.<\/p>\n

AsyncRAT grants operators access to powerful features: keystroke logging, browser credential theft, clipboard monitoring, and system surveillance. LevelBlue published a list of indicators of compromise (IoC) for defenders to add to their scanners. Additional general best practices may include blocking malicious domains, hunting for PowerShell one-liners and in-memory .NET reflective loads, monitoring for AMSI\/ETW tampering, and suspicious scheduled task creation. <\/p>\n

Threat actors are increasingly leaning toward fileless intrusions<\/a>, drawn by their quiet execution and reliable results. Earlier this year, attackers were caught using a similar technique, phishing a malicious VBScript that ultimately delivered the popular Remcos RAT in-memory on victim machines.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security researchers have discovered an open-source remote access trojan, AsyncRAT, being delivered through a multi-stage, in-memory loader as adversaries move to fileless techniques. According to LevelBlue Labs\u2019 findings, attackers gained initial foothold through a compromised ScreenConnect client and ran PowerShell scripts to fetch two-staged payloads. \u201cThis technique exemplifies fileless malware: no executable is written to […]<\/p>\n","protected":false},"author":0,"featured_media":4816,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4815","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4815"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4815"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4815\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4816"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}