All news with #in-memory execution tag

Fileless AsyncRAT infection leverages in-memory loaders

🔍 Security researchers at LevelBlue Labs identified an open-source Remote Access Trojan, AsyncRAT, being deployed via a multi-stage, fileless in-memory loader that avoids writing executables to disk. Attackers gained initial access through a compromised ConnectWise ScreenConnect client, executing a VBScript which invoked PowerShell to fetch two staged .NET assemblies. The first-stage assembly decodes payloads into byte arrays and uses reflection to run the secondary assembly directly in memory, while operators disabled AMSI and tampered with ETW to evade runtime detection. Persistence was achieved with a scheduled task disguised as "Skype Update," and the RAT used an AES-256 encrypted configuration to connect to a DuckDNS-based C2.