Hackers Use ScreenConnect to Deploy AsyncRAT via Fake Software Sites
Unknown threat actors are leveraging the ScreenConnect remote access tool to deploy and execute AsyncRAT. Kaspersky reported this activity is part of a "massive, multi-domain, multi-language" campaign that distributes malicious installer archives hosted on spoofed websites. These installers are designed to mimic popular software such as OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others, to trick users into downloading and executing the malware.
The campaign targets users seeking legitimate software by creating fake websites that appear authentic. When a user downloads and runs an installer from these compromised sites, it not only installs the intended software but also executes the AsyncRAT payload. ScreenConnect, a legitimate remote access tool, is being abused by these actors to gain initial access and maintain persistence on compromised systems. This allows them to remotely control infected machines, steal data, or deploy further malicious payloads.
Kaspersky's analysis indicates a broad scope for this campaign, affecting multiple domains and languages, suggesting a widespread and coordinated effort. The use of ScreenConnect in this manner highlights a growing trend of attackers repurposing legitimate tools for malicious purposes, making detection more challenging. The attackers are effectively poisoning search engine results for popular software, directing unsuspecting users to their malicious infrastructure. The ultimate goal appears to be the widespread compromise of user systems for various nefarious activities, including data theft and espionage.
Original source — read the full reporting at the publisher:
Read on The Hacker News