Trojanized TestDisk installer, Microsoft binary tapped for illicit ScreenConnect deployment

Attacks launching a malicious TestDisk installer and exploiting a Microsoft-signed binary for DLL side-loading have enabled the clandestine injection of the ConnectWise ScreenConnect remote monitoring and management software as part of a search engine optimization poisoning campaign, according to GBHackers News.

Installing the fake TestDisk installer, a Microsoft Setup binary refashioned as a loader, from a spoofed website promoted in the search results triggers the signed Microsoft binary to search for a companion DLL within its working directory before loading an illicit autorun.dll, reported Palo Alto Networks Unit 42 researchers.

Such a DLL downloads not only the official TestDisk software but also other malware components, including the trojanized ScreenConnect client, which allows threat actors to transfer files, execute commands, and achieve lateral movement. Initial access could also be harnessed for credential harvesting, data exfiltration, and ransomware deployment activities. Combating such a threat requires more rigorous tracking of access to testdisk[.]div and other download infrastructure, as well as atypical DLLs loaded by binaries signed by Microsoft.