Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution. This approach bypasses traditional disk-based detection by operating in memory, making these threats harder to detect, analyze, and eradicate. A recent incident culminated in the deployment of AsyncRAT, a powerful Remote Access Trojan (RAT), through a multi-stage fileless loader. In this blog, we share some of the key takeaways from this investigation. For an in-depth analysis and full list of identified indicators of compromise (IOCs), download the full report here.
Initial Access via ScreenConnect
The attack began with a compromised ScreenConnect client, a legitimate remote access tool. The threat actor initiated an interactive session through relay.shipperzone[.]online, a known malicious domain linked to unauthorized ScreenConnect deployments. From this session, a VBScript (Update.vbs) was executed using WScript, triggering a PowerShell command designed to fetch two external payloads.
The two payloads, logs.ldk and logs.ldr, were downloaded from a remote server. These files were written to the C:\Users\Public\ directory and loaded into memory using reflection. The script converted the first-stage payload (logs.ldk) into a byte array and passed the second (logs.ldr) directly to the Main() method. The script retrieves encoded data from the web, decodes it in-memory, and invokes a method in a dynamically loaded .NET assembly.
This technique exemplifies fileless malware: no executable is written to disk, and all malicious logic is executed in-memory.
Stage 1: Obfuscator.dll – Payload Launcher and Evasion Utility
Next, the LevelBlue team used dnSpy to analyze the .NET assembly. The first file they examined, Obfuscator.dll, acts as a launcher for malicious functionality in the AsyncRAT-based infection chain. This DLL acts as the first in-memory stage responsible for initiating execution flow, deploying evasion tactics, and invoking core payload components. It contains three core classes:
- Class A: Entry point for the DLL, responsible for initializing the runtime environment.
- Class Core: Sets up persistence using a scheduled task disguised as “Skype Updater” and dynamically loads and executes additional payloads.
- Class Tafce5: Implements anti-analysis techniques, including:
- PatchAMSI() and PatchETW(): Disable Windows security logging and script scanning.
- Dynamic API resolution: Uses GetProcAddress() and GetModuleHandle() to evade static analysis.
This modular design allows the malware to disable defenses, maintain stealth, and prepare the environment for the main payload.
Stage 2: AsyncClient.exe – Command & Control Engine
AsyncClient.exe is the malware’s operational backbone, implementing the full command-and-control lifecycle after initial compromise and obfuscation. At its heart, this binary leverages modularity, encryption, and stealth mechanisms to maintain ongoing access to infected systems. It performs system reconnaissance, maintains connectivity via custom ping protocols, and executes attacker-supplied commands through a dynamic packet parsing system. Key highlights of this RAT include:
- Configuration and Decryption: Uses AES-256 to decrypt embedded Base64-encoded settings, including:
- C2 domains and ports (3osch20[.]duckdns[.]org)
- Infection flags (e.g., persistence, anti-analysis)
- Target directories (%AppData%)
- Malware certificate and HWID
- C2 Connection and Command Dispatch:
- Connects to C2 server via TCP socket.
- Sends data using a custom protocol with 4-byte length-prefixed packets.
- Parses packets via MessagePack and dispatches them to Packet.Read().
- Reconnaissance and Exfiltration:
- Gathers OS details, privilege level, antivirus status, active window titles, and browser extensions (e.g., MetaMask, Phantom).
- Logging and Persistence:
- Implements keylogging using a hook callback, storing input in a temporary file, along with context to capture user activity patterns.
- Ensures persistence via scheduled tasks using the CreateLoginTask() function seen in Obfuscator.dll or redundantly recreated from AsyncClient.
Conclusion
This analysis of the command structure, Obfuscator, and AsyncClient.exe reveals critical insights into a sophisticated Remote Access Trojan (RAT). By breaking down key elements, we can understand how the malware maintains persistence, dynamically loads payloads, and exfiltrates sensitive data like credentials, clipboard contents, and browser artifacts. These findings enable the creation of targeted detection signatures and support endpoint hardening based on observed behaviors.
For our customers, this reverse engineering effort yields actionable intelligence. Through these in-depth investigations, our team aims to improve detection, response, and resilience. Read more about the investigation and important takeaways including identified IOCs by downloading the full report here.
