DEV Community

Mark0
Mark0

Posted on

The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign

This technical investigation explores a large-scale campaign where threat actors leverage the legitimate ScreenConnect remote management tool to deploy the AsyncRAT trojan. The attack begins with SEO poisoning, where victims searching for popular freeware like OBS Studio or DNS Jumper are directed to spoofed websites hosting malicious ZIP archives. These archives utilize DLL sideloading through a signed Microsoft binary to silently install ScreenConnect, which then acts as a foothold for further infection stages.

Technically, the infection chain involves multiple layers of obfuscated PowerShell and VBScripts that disable Microsoft Defender and User Account Control before reflectively loading the final AsyncRAT payload into the address space of a hollowed RegAsm.exe process. The research identifies an extensive infrastructure involving over 90 localized domains across 10 languages and multiple IP clusters, indicating a globally distributed operation designed for persistent unauthorized access and potential credential theft.


Read Full Article

Top comments (0)