Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client’s Authenticode signature. ConnectWise ScreenConnect is a remote monitoring and management (RMM) software that enables IT administrators and managed service providers (MSPs) to troubleshoot devices remotely. When a ScreenConnect installer is built, it can be customized to include the remote server the client should connect to, the text displayed in the dialog boxes, and the logos that should be displayed. This configuration data is saved within the file's Authenticode signature. This technique, known as Authenticode stuffing, enables the insertion of data into a certificate table while preserving the digital signature integrity.[1]
Cybersecurity firm G DATA observed malicious ConnectWise binaries with identical hash values across all file sections, except for the certificate table. The only difference was a modified certificate table containing new malicious configuration information while still allowing the file to remain signed. G DATA reports that the first samples were discovered in the BleepingComputer forums, where members had reported being infected after falling for phishing attacks. Similar attacks were reported on Reddit.
These phishing attacks utilized either PDFs or intermediary Canva pages that linked to executables hosted on Cloudflare's R2 servers (r2.dev). The file, called "Request for Proposal.exe," as seen by BleepingComputer, is a malicious ScreenConnect client [VirusTotal] configured to connect to the attacker's servers at 86.38.225. [.]6:8041 (relay.rachael-and-aidan.co[.]uk) G DATA built a tool to extract and review the settings found in these campaigns, where the researchers found significant modifications, such as changing the installer's title to "Windows Update" and replacing the background with a fake Windows Update image shown below.
The threat actors converted the legitimate ConnectWise ScreenConnect client into malware that allows them to gain access to infected devices stealthily.
After contacting G DATA, ConnectWise revoked the certificate used in these binaries, and G DATA is now flagging these samples as Win32.Backdoor.EvilConwi.* and Win32.Riskware.SilentConwi.*. G DATA states that they never received a reply from ConnectWise regarding this campaign and their report.
Another campaign involves enterprise software, distributing trojanized versions of the SonicWall NetExtender VPN client to steal usernames, passwords, and domain information. According to an advisory from SonicWall, these modified versions send captured credentials to an attacker-controlled server, making it critical for users to obtain software clients only from official sites.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-into-malware-using-authenticode-stuffing/
Comments