{"id":14782,"date":"2025-09-12T11:38:16","date_gmt":"2025-09-12T11:38:16","guid":{"rendered":"https:\/\/newestek.com\/?p=14782"},"modified":"2025-09-12T11:38:16","modified_gmt":"2025-09-12T11:38:16","slug":"stealthy-asyncrat-flees-the-disk-for-a-fileless-infection","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14782","title":{"rendered":"Stealthy AsyncRAT flees the disk for a fileless infection"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Security researchers have discovered an open-source remote access trojan, AsyncRAT, being delivered through a multi-stage, in-memory loader as adversaries move to fileless techniques.<\/p>\n<p>According to LevelBlue Labs\u2019 findings, attackers gained initial foothold through a compromised ScreenConnect client and ran PowerShell scripts to fetch two-staged payloads.<\/p>\n<p>\u201cThis technique exemplifies <a href=\"https:\/\/www.csoonline.com\/article\/562983\/what-is-a-fileless-attack-how-hackers-invade-systems-without-installing-software.html\" target=\"_blank\">fileless malware<\/a>: no executable is written to disk, and all malicious logic is executed in-memory,\u201d Sean Shirley, a network security engineer at LevelBlue, explained in a blog post. \u201cThe approach bypasses traditional disk-based detection by operating in memory, making these threats harder to detect, analyze, and eradicate.\u201d<\/p>\n<p>The analysis revealed a minimalist fileless attack, utilizing trusted admin tooling, tiny bootstrap scripts, and .NET loaders, designed to evade <a href=\"https:\/\/www.csoonline.com\/article\/560639\/is-signature-and-rule-based-intrusion-detection-sufficient.html\">signature-based detection<\/a> while delivering full remote control capability.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Legitimate tools abused for fileless staging<\/h2>\n<p>LevelBlue\u2019s timeline ties the initial compromise to a ConnectWise ScreenConnect deployment used as a relay\/C2 endpoint.<\/p>\n<p>\u201cThe threat actor initiated an interactive session through relay.shipperzone[.]online, a known malicious domain linked to unauthorized ScreenConnect deployments,\u201d Shirley <a href=\"https:\/\/levelblue.com\/blogs\/security-essentials\/asyncrat-in-action-fileless-malware-techniques-and-analysis-of-a-remote-access-trojan\" target=\"_blank\" rel=\"noreferrer noopener\">noted<\/a>. \u201cFrom this session, a VBScript (Update.vbs) was executed using WScript, triggering a PowerShell command designed to fetch two external payloads.\u201d<\/p>\n<p>Rather than dropping heavy binaries, the operators used small, seemingly harmless code \u2014 a VBScript for PowerShell commands \u2014 to fetch and assemble two staged .NET payloads in memory. The first-stage assembly acts as an obfuscator\/loader, converting downloaded content into byte arrays and using reflection to invoke a secondary assembly\u2019s Main() directly.<\/p>\n<p>This keeps the filesystem clean and leaves antivirus scanners looking for the wrong signals.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>RAT with evasion and persistence<\/h2>\n<p>Once AsyncRAT was loaded, the attackers took steps to disrupt Windows defenses. The report notes techniques such as disabling Anti-malware Scan Interface (AMSI) and tampering with Event Tracking for Windows (ETW), both critical features for runtime detection. To maintain persistence, they created a scheduled task disguised as \u201cSkype Update,\u201d ensuring the RAT would restart after reboots.<\/p>\n<p>LevelBlue\u2019s analysis also uncovered AsyncRAT\u2019s encrypted configuration file, secured with AES-256, which contained instructions to connect back to a DuckDNS-based command and control (C2) server. The C2 communication used custom packet formats over TCP, a method typically used for flexibility and evasion.<\/p>\n<p>AsyncRAT grants operators access to powerful features: keystroke logging, browser credential theft, clipboard monitoring, and system surveillance. LevelBlue published a list of indicators of compromise (IoC) for defenders to add to their scanners. Additional general best practices may include blocking malicious domains, hunting for PowerShell one-liners and in-memory .NET reflective loads, monitoring for AMSI\/ETW tampering, and suspicious scheduled task creation. <\/p>\n<p>Threat actors are increasingly <a href=\"https:\/\/www.csoonline.com\/article\/643356\/fileless-attacks-surge-as-cybercriminals-evade-cloud-security-defenses.html\">leaning toward fileless intrusions<\/a>, drawn by their quiet execution and reliable results. Earlier this year, attackers were caught using a similar technique, phishing a malicious VBScript that ultimately delivered the popular Remcos RAT in-memory on victim machines.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers have discovered an open-source remote access trojan, AsyncRAT, being delivered through a multi-stage, in-memory loader as adversaries move to fileless techniques. According to LevelBlue Labs\u2019 findings, attackers gained initial foothold through a compromised ScreenConnect client and ran PowerShell scripts to fetch two-staged payloads. \u201cThis technique exemplifies fileless malware: no executable is written to disk, and all malicious logic is executed in-memory,\u201d Sean Shirley,&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14782\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14782","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14782","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14782"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14782\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14782"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14782"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14782"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}