Full Report
Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's Authenticode signature. [...]
Analysis Summary
# Tool/Technique: ScreenConnect Modified Client (Authenticode Stuffing)
## Overview
This describes a technique where threat actors utilize the legitimate ConnectWise ScreenConnect remote access client, modify it, and distribute it as malware. The modifications aim to conceal malicious activity and enable persistent remote access and credential theft. The malicious binaries often use "Authenticode stuffing" to potentially bypass simple security checks, though the primary mechanism reviewed here is the functional modification of the legitimate client.
## Technical Details
- Type: Malware (Modified legitimate software)
- Platform: Windows (Implied by executable and Win32 detections)
- Capabilities: Remote access, credential harvesting, stealthy communication.
- First Seen: Not explicitly stated, but the context suggests a recent campaign.
## MITRE ATT&CK Mapping
The description heavily implies execution, remote access, and credential access.
- TA0002 - Execution
- T1204 - User Execution
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (Implied by stealing usernames/passwords/domain info)
## Functionality
### Core Capabilities
- **Remote Access:** The modified client functions as a backdoor, providing threat actors with remote control over infected devices.
- **Credential Harvesting:** The modified versions are specifically configured to steal usernames, passwords, and domain information from the compromised system.
- **Deception:** The installer's title is changed to "Windows Update," and the background is replaced with a fake Windows Update image to trick users into believing they are installing a legitimate system component.
### Advanced Features
- **Certificate Abuse:** The technique involves using Authenticode in a manner (stuffing) that likely aids in evading initial static analysis or allows the loading of the malicious binary.
- **Stealthy C2 Communication:** Communication is established with attacker-controlled servers.
## Indicators of Compromise
- File Hashes: `26c2d341b16807d23201b058f187e44c10e38090b37f6fb43a4593bea51aadca` (SHA256 for "Request for Proposal.exe")
- File Names: "Request for Proposal.exe" (Example seen)
- Registry Keys: Not specified.
- Network Indicators:
- `86.38.225[.]6`:8041 (C2 server)
- `relay.rachael-and-aidan.co[.]uk` (Associated domain)
- Behavioral Indicators:
- Installation/execution presenting as a "Windows Update" process.
- Communication on standard ports (Example observation: 8041) used for remote access.
- The binary is detected as `Win32.Backdoor.EvilConwi.*` and `Win32.Riskware.SilentConwi.*` by G DATA.
## Associated Threat Actors
Threat actors deploying this specific campaign are not named in the summary, but the activity is characterized by credential theft campaigns against enterprises.
## Detection Methods
- Signature-based detection (G DATA flags it as Backdoor/Riskware).
- Behavioral analysis detecting the execution of a remote access tool disguised as a legitimate service.
- Certificate revocation (ConnectWise revoked the certificate used).
## Mitigation Strategies
- **Source Verification:** Users must only obtain software clients (like ScreenConnect) from official, trusted sites.
- **Certificate Monitoring:** Security solutions should monitor for software executables using certificates that have been recently revoked or are known to be part of abuse campaigns (though, in this case, the certificate was revoked after the fact).
- **Process Monitoring:** Monitor for legitimate software being launched with unusual display names or user interface changes.
## Related Tools/Techniques
- ConnectWise ScreenConnect (Legitimate software being abused for C2/Backdoor).
- Similar techniques involving abusing legitimate remote management software (RMS) to establish footholds.