More advanced persistent threat groups have been exploiting the ConnectWise ScreenConnect remote monitoring and management tool to facilitate initial network compromise amid greater detection of AnyDesk abuse, Infosecurity Magazine reports.
Intrusions commenced with the utilization of ConnectWise ScreenConnect's management console to craft invite links or custom URLs in phishing schemes aimed at luring targets into downloading nefarious ScreenConnect clients, a report from the DarkAtlas research project showed.
Subsequent installation of such clients then prompts the registration of their binary as a Windows service for continued remote connectivity, according to researchers, who also discovered hostnames, encrypted keys, and IP mappings within the clients' configuration files, while providing key event logs produced by ScreenConnect during the malicious activity.
Combating the threat of illicit ScreenConnect usage necessitates increased vigilance on custom URLs and invite links, persistent client binaries, in-memory installer behavior, and related configuration files and event IDs.
Intrusions commenced with the utilization of ConnectWise ScreenConnect's management console to craft invite links or custom URLs in phishing schemes aimed at luring targets into downloading nefarious ScreenConnect clients, a report from the DarkAtlas research project showed.
Subsequent installation of such clients then prompts the registration of their binary as a Windows service for continued remote connectivity, according to researchers, who also discovered hostnames, encrypted keys, and IP mappings within the clients' configuration files, while providing key event logs produced by ScreenConnect during the malicious activity.
Combating the threat of illicit ScreenConnect usage necessitates increased vigilance on custom URLs and invite links, persistent client binaries, in-memory installer behavior, and related configuration files and event IDs.




