Malicious actors have been creating signed remote access through ConnectWise ScreenConnect installer abuse as part of an Authenticode stuffing attack, reports BleepingComputer.
Attacks involved phishing with malicious PDFs and Canva pages connected to Cloudflare R2 server-hosted executable, which is a trojanized ScreenConnect client that would establish a connection with attacker-controlled servers, according to findings from GDATA. Analysis of the installer, which transforms the legitimate ScreenConnect client into malware, revealed modifications in its title and background. ConnectWise has already moved to invalidate the certificate leveraged by the malicious binaries. Such a development comes after a SonicWall alert regarding ongoing intrusions involving trojanized iterations of its NetExtender VPN client, which facilitated username, credential, and domain information exfiltration to attacker-controlled servers. Organizations have been urged to install software only from legitimate sources to prevent potential compromise associated with the malicious software clients.
Attacks involved phishing with malicious PDFs and Canva pages connected to Cloudflare R2 server-hosted executable, which is a trojanized ScreenConnect client that would establish a connection with attacker-controlled servers, according to findings from GDATA. Analysis of the installer, which transforms the legitimate ScreenConnect client into malware, revealed modifications in its title and background. ConnectWise has already moved to invalidate the certificate leveraged by the malicious binaries. Such a development comes after a SonicWall alert regarding ongoing intrusions involving trojanized iterations of its NetExtender VPN client, which facilitated username, credential, and domain information exfiltration to attacker-controlled servers. Organizations have been urged to install software only from legitimate sources to prevent potential compromise associated with the malicious software clients.
