Threat Actors Abuse ScreenConnect Remote Tool in Large‑Scale Spoofed‑Installer Campaign
What Happened — Kaspersky’s MDR team uncovered a coordinated campaign that distributes malicious installer archives masquerading as popular freeware (e.g., OBS Studio, Bandicam). The archives contain a legitimate Microsoft install.exe bundled with a rogue install.res.1033.dll that sideloads the ScreenConnect remote‑administration service, which then receives commands from an AsyncRAT C2 infrastructure. Over 90 domain names in 10 languages were used to host the payloads.
Why It Matters for Compliance & Audit Readiness
- The abuse of a signed, allow‑listed remote‑access tool illustrates why SOC 2 Access Control policies must cover both privileged and “utility” applications, not just traditional admin accounts.
- Continuous monitoring of endpoint and network activity (e.g., unexpected ScreenConnect service launches) provides audit‑ready evidence that controls are operating as intended.
- Demonstrating a documented process for vetting third‑party software and restricting its execution aligns with the SOC 2 CC6.1 (Logical Access) and CC6.2 (User Access Management) criteria.
Who Is Affected — Enterprises of any size that permit remote‑support utilities, especially those in technology/SaaS, professional services, and media/creative sectors where tools like OBS are common.
Recommended Actions
- Inventory all remote‑administration utilities and enforce a “least‑privilege” execution policy (e.g., require MFA for service start‑up).
- Deploy endpoint detection that flags unsigned DLL sideloading and unexpected ScreenConnect processes.
- Incorporate the detection of spoofed installer domains into your threat‑intelligence feeds and SOC 2 evidence collection.
Source: SecureList – The SOC Files: ScreenConnect masked as freeware
Technical Notes
- Attack vector: Third‑party dependency abuse → legitimate remote‑admin tool signed with a valid certificate, delivered via spoofed freeware installers.
- Payload: AsyncRAT (remote access trojan) delivered through DLL sideloading (install.res.1033.dll).
- Infrastructure: >90 domains, multi‑regional C2 servers (e.g., 162.216.241.242, 198.23.185.81).
- Indicators of Compromise: Creation of PowerShell/VBS scripts by ScreenConnect, presence of install.res.1033.dll, outbound traffic to known AsyncRAT C2 hosts.