In recent developments, cybersecurity experts have identified a sophisticated campaign where attackers are weaponizing legitimate remote monitoring and management (RMM) software to infiltrate systems. Specifically, trojanized installers of ConnectWise ScreenConnect—now rebranded as ConnectWise Control—are being used to deliver dual payloads: the widely recognized AsyncRAT and a custom PowerShell-based Remote Access Trojan (RAT).
Emergence of the Threat
The initial signs of this malicious activity surfaced in May 2025. Analysts detected anomalous ScreenConnect installers hosted on exposed file servers. Unlike typical malware, these installers utilized ClickOnce loaders that fetched malicious components at runtime, rather than embedding them directly. This method allows attackers to bypass traditional signature-based defenses, making detection more challenging.
Detailed Infection Mechanism
The attack begins when an unsuspecting user downloads and executes a compromised ScreenConnect client installer. Upon execution, the installer performs the following actions:
1. Drops a VBS Loader: A Visual Basic Script (VBS) file named Ab.vbs is placed into a public folder.
2. Registers a Windows Shortcut: A shortcut file (Microsoft.lnk) is created, designed to launch PowerShell with specific parameters: `-ExecutionPolicy Bypass -WindowStyle Hidden`. This setup ensures that the subsequent malicious activities remain concealed from the user.
3. Executes the PowerShell Script: The shortcut triggers a PowerShell script named Skype.ps1. This script contains base64-encoded payload segments, which it decodes into either a .NET assembly or native shellcode, depending on the security products detected on the system.
4. Payload Deployment: If antivirus software like TotalAV or Avast is detected, the script performs in-memory assembly loading via `System.Reflection.Assembly.Load`. In the absence of such software, it dynamically imports a native injector DLL (libPK.dll) using PowerShell’s `Add-Type` and calls its `Execute` function to inject payloads into legitimate host processes.
5. Establishing Persistence: To ensure continued access, the loader schedules recurring tasks named SystemInstallTask, set to execute every 2 to 10 minutes. This mechanism guarantees rapid re-execution if the malicious process is terminated.
Infrastructure and Evasion Techniques
Further analysis revealed a consistent infrastructure pattern employed by the attackers:
– Use of Open Directories: The infected installers connect to repositories hosting .zip archives with names like logs.ldk, logs.idk, and logs.idr. These archives unpack into various components, including dropper scripts (Ab.vbs or Ab.js), the PowerShell loader (Skype.ps1), the native injector DLL (libPK.dll), and the shortcut file (Microsoft.lnk).
– Dynamic File Rotation: By leveraging open directories for initial staging, attackers can frequently rotate files and domains. This tactic complicates detection efforts, as security tools may struggle to keep up with the constantly changing indicators of compromise.
– Modular Attack Framework: The combination of modular scripts, scheduled tasks, and dual execution paths exemplifies a sophisticated multi-stage delivery framework. This approach blends the abuse of legitimate RMM software with custom RAT payloads, enhancing the attackers’ ability to maintain long-term access to compromised networks.
Implications and Recommendations
The exploitation of trusted software like ScreenConnect underscores the evolving tactics of cybercriminals. By embedding malicious code within legitimate applications, attackers can effectively bypass traditional security measures.
To mitigate such threats, organizations are advised to:
– Verify Software Integrity: Always download software from official and reputable sources. Before installation, verify the integrity of the installer by checking digital signatures and comparing file hashes with those provided by the vendor.
– Implement Behavioral Analysis Tools: Utilize security solutions that focus on behavioral analysis rather than solely relying on signature-based detection. This approach can identify anomalous activities indicative of malware execution.
– Regularly Update and Patch Systems: Ensure that all software, especially RMM tools, are updated to their latest versions. Vendors often release patches to address known vulnerabilities that attackers might exploit.
– Educate Employees: Conduct regular training sessions to inform employees about the risks associated with downloading and installing software. Emphasize the importance of verifying sources and recognizing potential phishing attempts.
– Monitor Network Traffic: Implement network monitoring to detect unusual outbound connections, which may indicate communication with command-and-control servers.
By adopting a proactive and layered security approach, organizations can better defend against sophisticated attacks that exploit legitimate software for malicious purposes.
