Hackers Exploit ScreenConnect with Authenticode Malware
▼ Summary
– Threat actors are exploiting ConnectWise ScreenConnect’s installer by modifying hidden settings in its Authenticode signature to create signed malware.
– The abuse involves “authenticode stuffing,” inserting malicious configuration data into the certificate table while keeping the digital signature valid.
– Malicious binaries with identical hash values except for the altered certificate table were found, linking to phishing attacks via PDFs or Canva pages.
– Attackers disguised the malware as “Windows Update” to trick victims, enabling remote access to infected devices.
– ConnectWise revoked the abused certificate, while G DATA flagged the malware as Win32.Backdoor.EvilConwi.* and Win32.Riskware.SilentConwi.*.
Cybercriminals are exploiting ConnectWise ScreenConnect’s installer to create digitally signed malware by manipulating hidden settings within the software’s Authenticode signature. This sophisticated attack method allows threat actors to modify configuration data while keeping the file’s digital signature valid, making detection more challenging.
ScreenConnect, a widely used remote monitoring and management (RMM) tool, enables IT professionals to remotely access and troubleshoot devices. Attackers have found a way to abuse its installer by embedding malicious server details, dialog text, and logos directly into the file’s certificate table, a technique known as authenticode stuffing.
Security researchers at G DATA uncovered malicious ScreenConnect binaries with matching hash values except for the altered certificate table. Despite the modifications, the files retained their valid signatures, allowing them to bypass security checks. The first instances of this attack surfaced in online forums, where victims reported infections after opening phishing emails containing malicious PDFs or links to compromised executables.
One observed sample, named “Request for Proposal.exe,” disguised itself as a legitimate file but connected to a remote attacker-controlled server. Further analysis revealed that hackers had altered the installer’s appearance, rebranding it as a fake Windows Update screen to deceive users.
After G DATA alerted ConnectWise, the company revoked the abused certificate. However, researchers noted that they received no formal response regarding their findings. The malware is now classified under detection names Win32.Backdoor.EvilConwi and Win32.Riskware.SilentConwi.
In a related campaign, attackers distributed trojanized versions of the SonicWall NetExtender VPN client, designed to harvest login credentials and domain information. SonicWall has since warned users to download software exclusively from official sources to avoid falling victim to such attacks.
This incident highlights the growing sophistication of cybercriminals in abusing legitimate software for malicious purposes. Organizations must remain vigilant, verifying downloads and monitoring for unusual remote access activity to mitigate risks.
(Source: BLEEPING COMPUTER)
