- Phishing emails broadcast a trojanized version of ScreenConnect, encouraging victims to install malware remotely
- Once installed, the attackers deploy Asyncrat, a loyal Trojan horse that records strikes, steals identification information, and more
- Furtive nature and open source nature of Asyncrat make it a favorite among various threat actors
Criminals use a transversal version of a popular legitimate distance access tool to remove remote Trojan horses (RAT) on target devices, researchers warn.
Earlier this week, safety researchers from Levelblue said they saw phishing emails in which a contaminated variant of Connectwise ScreenConnect was shared, posing as financial and other documents.
Connectwise ScreenConnect is remote access and remote support software, allowing IT teams, help offices and managed service providers (MSP) to do things such as remote management, distant meetings or unattended access.
Malwowic in Filess
It also operates the multiplatform platform, supporting office connections, mobile and based on the browser. However, it is one of the most ill -treated programs, often observed in identity identity and attack attacks.
The victims who fall into phishing emails and install ScreenConnect end up granting criminals tirelessly access to their devices, which they later use to furtively unreserved malware called Asyncrat.
This remote Trojan horse, in addition to the evidence, also allows threat stakeholders to record strikes, steal browser identification information, fingerprints and search for cryptocurrency portfolios and other wallet data – in particular browser extensions.
“Wireless malware continues to set an important challenge to modern cybersecurity defenses because of its furtive nature and its dependence on the legitimate system tools for execution,” said Levelblue. “Unlike traditional malicious software that writes useful loads on disk, wireless threats work in memory, which makes them more difficult to detect, analyze and eradicate.”
Asyncrat is an open source Trojan for the first time in January 2019.
It is generally distributed by phishing emails or malicious attachments and appeared in infection chains in several stages, including campaigns targeting health care organizations.
Although the malware itself is not linked to a specific group, various cybercriminals and actors of emerging threats have largely adopted it for remote exploitation.
Via The Hacker News
