AsyncRAT Campaign Exploits DLL Sideloading and ScreenConnect

A sophisticated AsyncRAT malware campaign is leveraging DLL sideloading techniques alongside legitimate ScreenConnect remote access software to establish persistent, stealthy access to compromised systems. Attackers are exploiting trusted application processes to load malicious DLLs, evading traditional security controls while using ScreenConnect as both an initial access vector and a legitimate-looking persistence mechanism. Organizations should immediately audit ScreenConnect deployments, monitor for unsigned DLL loads, and implement application whitelisting to defend against this evolving threat.

Introduction

Security researchers have identified an advanced AsyncRAT distribution campaign that combines multiple sophisticated techniques to achieve covert system compromise. The campaign leverages DLL sideloading—a technique that exploits the Windows DLL search order to load malicious code through legitimate signed executables—in tandem with ScreenConnect, a popular remote desktop support tool.

This multi-stage attack chain demonstrates the continued evolution of commodity remote access trojans into enterprise-grade threats. By piggybacking on trusted processes and leveraging legitimate remote management tools, attackers can bypass endpoint detection systems, blend into normal network traffic, and maintain long-term access to compromised environments. The campaign represents a significant threat to organizations across all sectors, particularly those already using ScreenConnect for legitimate IT support functions.

Background & Context

AsyncRAT is an open-source remote access trojan first released in 2019 that has since become a favorite among cybercriminals due to its extensive capabilities and active development community. The malware provides attackers with comprehensive control over infected systems, including keylogging, credential theft, screen capture, file manipulation, and the ability to deploy additional payloads.

DLL sideloading has emerged as a preferred technique for sophisticated threat actors because it allows malicious code to execute within the context of legitimate, often signed applications. When Windows applications load, they search for required DLLs in a specific order. Attackers exploit this by placing malicious DLLs in locations that are checked before legitimate system directories, causing trusted executables to inadvertently load hostile code.

ScreenConnect, now branded as ConnectWise ScreenConnect, is a widely deployed remote support solution used by IT departments and managed service providers worldwide. Its legitimate presence in enterprise environments makes it an ideal tool for attackers seeking to hide in plain sight. Previous campaigns have exploited both vulnerabilities in ScreenConnect itself and the abuse of legitimate installations for post-compromise activity.

Technical Breakdown

The attack chain begins with initial compromise through various vectors, including phishing emails with malicious attachments, drive-by downloads, or exploitation of exposed ScreenConnect instances. In some observed cases, attackers gained access through compromised ScreenConnect installations that lacked proper authentication or were running outdated versions with known vulnerabilities.

Once initial access is established, the attackers deploy a carefully crafted DLL sideloading package consisting of three components:

  • A legitimate signed executable – Often a renamed version of legitimate software from trusted vendors
  • A malicious DLL – Crafted to match the name of a library the legitimate executable expects to load
  • An encrypted payload – The actual AsyncRAT binary, stored separately to avoid detection

The legitimate executable is launched, either through scheduled tasks, registry run keys, or startup folders. Due to the DLL search order, the application loads the malicious DLL from the same directory before checking system paths. This malicious DLL acts as a loader, decrypting and injecting the AsyncRAT payload into memory, often using process hollowing or similar techniques to avoid writing the final payload to disk.

Attack Flow:
  • Legitimate.exe (signed) launches
  • Loads malicious.dll from current directory
  • malicious.dll decrypts embedded payload
  • AsyncRAT injected into legitimate process memory
  • C2 communications established through ScreenConnect tunnel

The AsyncRAT payload establishes command and control communications, often proxying traffic through the legitimate ScreenConnect connection to mask malicious network activity. This creates a scenario where all external communications appear to be legitimate remote support traffic, making network-based detection extremely challenging.

The malware configures multiple persistence mechanisms, including:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

AsyncRAT’s modular architecture allows operators to deploy additional capabilities post-compromise, including cryptocurrency miners, information stealers, and ransomware payloads.

Impact & Risk Assessment

The impact of this campaign extends beyond typical malware infections due to the combination of persistence, stealth, and comprehensive system access provided by AsyncRAT. Organizations face multiple severe risks:

Data Exfiltration Risk: CRITICAL – AsyncRAT’s keylogging and screen capture capabilities enable theft of credentials, intellectual property, financial data, and sensitive communications. The malware can operate silently for extended periods, continuously harvesting information.

Lateral Movement Risk: HIGH – Compromised credentials and network visibility enable attackers to pivot to additional systems, potentially escalating to domain administrator access and widespread network compromise.

Ransomware Deployment Risk: HIGH – AsyncRAT serves as an ideal initial access mechanism for ransomware operators, providing the foothold needed to deploy file-encrypting payloads across entire networks.

Regulatory and Compliance Risk: HIGH – Unauthorized access to systems containing regulated data (PII, PHI, financial records) triggers breach notification requirements and potential penalties under GDPR, HIPAA, PCI-DSS, and other frameworks.

The use of legitimate tools like ScreenConnect significantly extends dwell time, with some incidents showing attackers maintaining access for months before detection. Financial services, healthcare, manufacturing, and managed service providers face particularly elevated risk given their high-value data and frequent use of remote access tools.

Vendor Response

ConnectWise has issued security advisories acknowledging the abuse of ScreenConnect in various attack campaigns. The vendor has released patches addressing recent authentication bypass and path traversal vulnerabilities (CVE-2024-1709, CVE-2024-1708) that may facilitate unauthorized access.

ConnectWise recommends that all users:

  • Update to the latest ScreenConnect version immediately
  • Implement strong authentication and multi-factor authentication
  • Restrict network access to ScreenConnect instances using IP whitelisting
  • Monitor access logs for suspicious activity
  • Review and remove unauthorized extensions or plugins

The vendor has also enhanced logging capabilities in recent releases to improve detection of abuse. However, ConnectWise emphasizes that legitimate installations being used by attackers post-compromise is outside the scope of product vulnerabilities, placing the detection burden on security teams.

Microsoft has updated Windows Defender signatures to detect known AsyncRAT variants, though the modular and frequently updated nature of the malware enables operators to quickly bypass signature-based detection.

Mitigations & Workarounds

Organizations should implement multiple layers of defense to protect against this campaign:

Immediate Actions:

  • Audit ScreenConnect deployments – Identify all instances, verify they are updated, and confirm all sessions are authorized
  • Enable application whitelisting – Use Windows Defender Application Control or AppLocker to restrict DLL loading to trusted locations
  • Disable ScreenConnect if unused – Remove or disable installations that are not actively required

Configuration Hardening:

Implement DLL Safe Search Mode to force system directories to be checked before the current directory:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"SafeDllSearchMode"=dword:00000001

Configure Windows to prefer system DLLs:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"CWDIllegalInDllSearch"=dword:0x2

ScreenConnect Specific:

  • Enable IP restrictions to limit access to known trusted sources
  • Implement certificate pinning for ScreenConnect connections
  • Disable relay connections if direct connections are possible
  • Configure session recording for audit purposes
  • Require approval for all file transfers

Detection & Monitoring

Effective detection requires both host and network-based monitoring focused on the specific techniques used in this campaign.

Endpoint Detection Strategies:

Monitor for unsigned or suspicious DLLs loaded by signed executables using Sysmon Event ID 7 (Image Loaded):


  
    
      false
    
  

Search for AsyncRAT indicators in scheduled tasks:

Get-ScheduledTask | Where-Object {$_.Actions.Execute -match "\.exe"} | 
Select-Object TaskName, TaskPath, @{Name="Execute";Expression={$_.Actions.Execute}}

Monitor for suspicious registry persistence:

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" |
Where-Object {$_.PSObject.Properties.Value -match "appdata|temp|public"}

Network Detection:

Monitor for ScreenConnect connections to unexpected destinations, unusual connection durations, or traffic volumes inconsistent with typical support activities. Look for encrypted traffic on non-standard ports that might indicate AsyncRAT C2 communications tunneled through ScreenConnect.

Implement hunting queries for known AsyncRAT network indicators:

  • Connections to paste sites (Pastebin, GitHub) for configuration retrieval
  • DNS requests to dynamic DNS services
  • Beaconing patterns consistent with RAT check-ins

Best Practices

Organizations should adopt comprehensive security practices to defend against sophisticated RAT campaigns:

Architectural Controls:

  • Implement network segmentation to limit lateral movement
  • Deploy endpoint detection and response (EDR) solutions with behavioral analysis
  • Use network traffic analysis tools to identify anomalous patterns
  • Maintain comprehensive logging with sufficient retention periods

Access Management:

  • Enforce principle of least privilege across all systems
  • Require multi-factor authentication for remote access tools
  • Implement privileged access management for administrative accounts
  • Conduct regular access reviews for remote support tools

Security Operations:

  • Establish baseline behavior for legitimate ScreenConnect usage
  • Conduct regular threat hunting exercises focused on living-off-the-land techniques
  • Maintain up-to-date threat intelligence on AsyncRAT indicators
  • Test incident response procedures specific to RAT compromises

Vendor Management:

  • Maintain asset inventory including all remote access tools
  • Establish patch management procedures with defined SLAs
  • Review security configurations after vendor updates
  • Monitor vendor security advisories and threat reports

User Awareness:

  • Train users to recognize phishing attempts that may initiate infection chains
  • Establish procedures for verifying unexpected remote access requests
  • Encourage reporting of suspicious system behavior
  • Conduct regular security awareness assessments

Key Takeaways

  • AsyncRAT campaigns are leveraging DLL sideloading to achieve stealthy execution through legitimate signed executables, bypassing many traditional security controls
  • Abuse of legitimate remote access tools like ScreenConnect allows attackers to blend malicious activity with normal IT operations, significantly extending detection time
  • The combination of multiple advanced techniques creates a formidable threat requiring layered defenses across endpoint, network, and identity security domains
  • Organizations using ScreenConnect face elevated risk and should immediately verify deployment security, update to latest versions, and enhance monitoring
  • DLL sideloading detection requires specific monitoring configurations including Sysmon deployment and behavioral analysis capabilities
  • Effective defense requires moving beyond signature-based detection to behavioral analytics, application whitelisting, and comprehensive visibility across the attack surface
  • Incident response plans should specifically address scenarios where legitimate administrative tools are weaponized by attackers

References


Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/


Leave a Reply

Your email address will not be published. Required fields are marked *

📢 Join Telegram