Hackers Deploy AsyncRAT and SectopRAT Using ScreenConnect Software on Windows
Summary:
Cybercriminals are increasingly combining traditional and new tactics to steal sensitive information, using remote access tools (RATs) like AsyncRAT and SectopRAT. Recent trends show attackers exploiting SEO poisoning, typosquatting, and legitimate remote monitoring software to breach systems. Notably, Microsoft has reported cybercriminals using ScreenConnect, a legitimate tool, in an unprecedented way. Traditionally used for persistence or lateral movement, ScreenConnect is now being leveraged to deploy AsyncRAT, the first known instance of this approach. This tactic is linked to tech support scams, where victims are tricked into granting remote access under the guise of troubleshooting. Once granted, attackers use ScreenConnect to install AsyncRAT, enabling data theft, system surveillance, and command execution.
Another tactic observed in recent months is the use of SectopRAT, an information-stealing malware deployed through methods like SEO poisoning and typosquatting, which enable attackers to deceive victims into visiting malicious websites unintentionally. SectopRAT targets sensitive browser data and cryptocurrency wallets, making it appealing to financially motivated attackers. Notably, it can create a hidden second desktop on the compromised system, allowing attackers to operate unnoticed while extracting data or deploying additional payloads.
Security Officer Comments:
The use of tactics like exploiting RMM tools, SEO poisoning, and typosquatting highlights the growing sophistication of cybercriminals. By leveraging legitimate tools like ScreenConnect—widely used by organizations globally—attackers can bypass defenses and carry out malicious operations with little to room for detection. While SEO poisoning and typosquatting are not novel, their continued effectiveness highlights the need for organizations and individuals to remain proactive and well-informed in defending against such threats.
Suggested Corrections:
Organizations should employ robust endpoint protection, regularly update and patch systems, especially RMM tools, and use web filtering to block access to known malicious sites. Employees should also be trained to recognize phishing attempts and tech support scams, and verify remote access requests through secure channels. Additionally, its important to restrict and monitor RMM tool access, conduct frequent security audits, and maintain secure data backups to minimize the impact of potential attacks.
Link(s):
https://cybersecuritynews.com/hackers-deploy-malware-using-screenconnect-software-on-windows/
https://thecyberwire.com/podcasts/microsoft-threat-intelligence/33/notes
Cybercriminals are increasingly combining traditional and new tactics to steal sensitive information, using remote access tools (RATs) like AsyncRAT and SectopRAT. Recent trends show attackers exploiting SEO poisoning, typosquatting, and legitimate remote monitoring software to breach systems. Notably, Microsoft has reported cybercriminals using ScreenConnect, a legitimate tool, in an unprecedented way. Traditionally used for persistence or lateral movement, ScreenConnect is now being leveraged to deploy AsyncRAT, the first known instance of this approach. This tactic is linked to tech support scams, where victims are tricked into granting remote access under the guise of troubleshooting. Once granted, attackers use ScreenConnect to install AsyncRAT, enabling data theft, system surveillance, and command execution.
Another tactic observed in recent months is the use of SectopRAT, an information-stealing malware deployed through methods like SEO poisoning and typosquatting, which enable attackers to deceive victims into visiting malicious websites unintentionally. SectopRAT targets sensitive browser data and cryptocurrency wallets, making it appealing to financially motivated attackers. Notably, it can create a hidden second desktop on the compromised system, allowing attackers to operate unnoticed while extracting data or deploying additional payloads.
Security Officer Comments:
The use of tactics like exploiting RMM tools, SEO poisoning, and typosquatting highlights the growing sophistication of cybercriminals. By leveraging legitimate tools like ScreenConnect—widely used by organizations globally—attackers can bypass defenses and carry out malicious operations with little to room for detection. While SEO poisoning and typosquatting are not novel, their continued effectiveness highlights the need for organizations and individuals to remain proactive and well-informed in defending against such threats.
Suggested Corrections:
Organizations should employ robust endpoint protection, regularly update and patch systems, especially RMM tools, and use web filtering to block access to known malicious sites. Employees should also be trained to recognize phishing attempts and tech support scams, and verify remote access requests through secure channels. Additionally, its important to restrict and monitor RMM tool access, conduct frequent security audits, and maintain secure data backups to minimize the impact of potential attacks.
Link(s):
https://cybersecuritynews.com/hackers-deploy-malware-using-screenconnect-software-on-windows/
https://thecyberwire.com/podcasts/microsoft-threat-intelligence/33/notes