Full Report
Barracuda’s Managed XDR team recently helped two companies mitigate incidents where attackers had managed to compromise computers and install rogue ScreenConnect remote management software.
Analysis Summary
# Incident Report: Rogue ScreenConnect Installation & Persistence Attempts
## Executive Summary
Two separate organizations discovered unauthorized deployments of ScreenConnect remote management software following endpoints exhibiting anomalous behavior (open tax software/unusual mouse movements). In both cases, the initial access was facilitated when users unknowingly executed a malicious installer disguised as a Social Security document. While access was limited and lateral movement was prevented, Company B exhibited evidence of persistence mechanisms leveraging VBS scripts and Remcos malware, requiring full system rebuilds for remediation.
## Incident Details
- Discovery Date: Not explicitly stated, occurred shortly after installation as incidents were contained quickly.
- Incident Date: Not explicitly stated, occurred when users executed the malicious files.
- Affected Organization: Company A and Company B (Two separate organizations).
- Sector: Not disclosed.
- Geography: Not disclosed.
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Implied shortly before discovery).
- Vector: User Execution of Malicious File (Social Engineering/Phishing delivery).
- Details: End users in both companies downloaded and executed a file disguised as a Social Security document, which was actually an installer for rogue ScreenConnect software.
### Lateral Movement
- **Company A:** No confirmed lateral movement, but obfuscation attempts suggested potential preparation for data removal.
- **Company B:** Attacker downloaded further rogue software, including VBS scripts, creating a new folder structure to support persistence.
### Data Exfiltration/Impact
- **Company A:** Investigation could not confirm exfiltration due to lack of firewall integration in the XDR deployment. Signs of attempted data removal existed (file creation loops).
- **Company B:** No signs of confirmed data exfiltration via firewall logs review.
### Detection & Response
- **Company A:** Detected via monitoring of odd behavior (open tax software). Analysts confirmed unauthorized ScreenConnect deployment.
- **Company B:** Detected via user reports of random mouse movements. Analysts confirmed unauthorized ScreenConnect deployment.
- **Response:** SOC teams in both instances contained the threat, identified the unauthorized software, and advised complete wiping and rebuilding of the infected devices for full eradication.
## Attack Methodology
- Initial Access: Social engineering leading to user execution of ScreenConnect installer disguised as a legitimate document (Social Security related).
- Persistence: **Company B** established persistence using VBS scripts executing heavily obfuscated PowerShell commands leveraging Remcos RAT.
- Privilege Escalation: Not specified, but necessary to deploy ScreenConnect and persistence mechanisms.
- Defense Evasion: Malicious installer hid ScreenConnect in common folders (`Local\Apps\2.0\` and `\Windows\SystemTemp\`). File creation loops in Company A suggested obfuscation tactics.
- Credential Access: Not specified.
- Discovery: Not specified beyond the deployment of the RAT/remote management tool.
- Lateral Movement: Prevented in both cases due to early detection, though Company A showed behavior indicative of prepping for exfiltration.
- Collection: **Company B** downloaded further rogue software (VBS scripts).
- Exfiltration: Unconfirmed in both cases; attempts/precursors noted in Company A.
- Impact: Unauthorized remote control established via ScreenConnect; potential deployment of a secondary RAT (Remcos) in Company B.
## Impact Assessment
- Financial: Not estimated.
- Data Breach: Unconfirmed, but data access/potential exfiltration was attempted or prepared for.
- Operational: Minimal operational disruption beyond the immediate investigation and the need to take endpoints offline for rebuilds.
- Reputational: Not disclosed.
## Indicators of Compromise
- **Network indicators (Defanged):** Unknown (Firewall logs reviewed but not detailed).
- **File indicators:** Rogue ScreenConnect installers/binaries, VBS scripts, obfuscated PowerShell commands, potential Remcos malware components.
- **Behavioral indicators:** Unusual mouse movements, unauthorized opening of applications (Tax software), unexplained file creation loops, execution of malicious scripts attempting persistence.
## Response Actions
- Containment measures: Prompt identification and isolation of the rogue ScreenConnect instances on the affected endpoints.
- Eradication steps: Complete wipe and rebuild of the infected devices (Company A and Company B) due to the successful installation of remote access tools and persistence mechanisms.
- Recovery actions: Rebuilding systems to a trusted state.
## Lessons Learned
- Relying solely on application monitoring is insufficient; detection must include monitoring the process chain of legitimate actions (e.g., file downloads) that lead to malicious software installation.
- Rogue installation of trusted IT tools (like ScreenConnect) can evade alerts if security strategy doesn't focus on unusual installation locations or execution contexts.
- Strong endpoint logging is crucial, especially perimeter integrations like firewalls, to confirm or deny data exfiltration attempts.
- Persistence mechanisms (like the VBS/PowerShell chain in Company B) must be detected and countered immediately, necessitating system rebuilds if achieved.
- Employee training on social engineering remains critical to prevent initial execution of malicious payloads.
## Recommendations
- Implement endpoint monitoring and logging that specifically flags the installation of unauthorized remote access/management tools (RATs, unauthorized ScreenConnect).
- Enhance detection mechanisms to identify and analyze obfuscated scripts (PowerShell, VBS) and connections to known malware signatures (e.g., Remcos).
- Ensure security tooling integrates firewall/network visibility to definitively monitor outbound data transmission paths when suspicious activity is detected on an endpoint.
- Continually reinforce employee cybersecurity awareness training focusing on identifying convincing social engineering tactics used to deliver initial payloads.
- Maintain a clear procedure for full system sanitization (wipe and rebuild) when high-impact persistence tools like RATs are successfully deployed.