Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's Authenticode signature.
ConnectWise ScreenConnect is a remote monitoring and management (RMM) software that allows IT admins and managed service providers (MSPs) to troubleshoot devices remotely.
When a ScreenConnect installer is built, it can be customized to include the remote server the client should connect to, what text is shown in the dialog boxes, and logos that should be displayed. This configuration data is saved within the file's authenticode signature.
This technique, called authenticode stuffing, allows for the insertion of data into a certificate table while keeping the digital signature intact.
ScreenConnect abused for initial access
Cybersecurity firm G DATA observed malicious ConnectWise binaries with identical hash values across all file sections except for the certificate table.
The only difference was a modified certificate table containing new malicious configuration information while still allowing the file to remain signed.
G DATA says the first samples were found in the BleepingComputer forums, where members reported being infected after falling for phishing attacks. Similar attacks were reported on Reddit.
These phishing attacks utilized either PDFs or intermediary Canva pages that linked to executables hosted on Cloudflare's R2 servers (r2.dev).
Example PDF used in the phishing campaign
... continue reading