Ethical Hacking News
Hackers have hijacked a popular remote monitoring and management (RMM) software by exploiting the Authenticode signing mechanism. Threat actors used this technique to create malicious versions of the software that can be used to gain unauthorized access to infected systems. By modifying the authenticode signature, attackers can inject malicious configuration data into the file without affecting its digital signature. The first samples of this malware were found in online forums, and researchers discovered significant modifications made to the legitimate software, including changing its title and replacing its background with a fake image. ConnectWise has revoked the certificate used in these malicious binaries, but users are advised to prioritize patch management, exercise caution when downloading and installing software from untrusted sources, and seek professional assistance if they suspect their systems have been compromised.
Hackers exploit Microsoft's Authenticode signing mechanism to compromise legitimate remote access software.Malicious ConnectWise ScreenConnect installers are created with modified authenticode signatures, injecting malicious configuration data into the file.Threat actors use phishing campaigns to trick victims into downloading and installing these malicious installers.The malware connects to an attacker-controlled server, establishing a persistent backdoor on infected systems.The attackers modify legitimate ScreenConnect client behavior, including changing its title and background, to deceive users.ConnectWise has revoked the certificate used in these malicious binaries, but users are advised to exercise extreme caution when downloading software from untrusted sources.Prioritizing patch management, using reputable antivirus software, and exercising vigilance against suspicious emails or requests can help prevent such attacks.
Hackers have found a novel way to compromise legitimate remote access software by exploiting the Authenticode signing mechanism used by Microsoft. This technique, known as "Authenticode stuffing," allows attackers to insert malicious configuration data into the digital signature of a software file without affecting its integrity.
ConnectWise ScreenConnect is a popular remote monitoring and management (RMM) software that provides IT administrators and managed service providers with tools to troubleshoot devices remotely. The software's installer can be customized to include settings such as the remote server the client should connect to, text displayed in dialog boxes, and logos to be shown.
Threat actors have exploited this customization feature to create malicious versions of the ScreenConnect installer that can be used to gain unauthorized access to infected systems. By modifying the authenticode signature of the software, attackers can inject malicious configuration data into the file without affecting its digital signature.
One such example was discovered by cybersecurity firm G DATA, which observed malicious ConnectWise binaries with identical hash values across all file sections except for the certificate table. The only difference between these files and their legitimate counterparts was a modified certificate table containing new malicious configuration information.
The first samples of this malware were found in online forums, where users reported being infected after falling victim to phishing attacks that utilized PDFs or intermediary Canva pages linked to executables hosted on Cloudflare's R2 servers. The attackers used these phishing campaigns to trick victims into downloading and installing the malicious ScreenConnect installer.
Upon installation, the malware was discovered to connect to an attacker-controlled server at IP address 86.38.225.6:8041 (relay.rachael-and-aidan.co.uk). This behavior is indicative of a backdoor, which allows attackers to establish a persistent connection to the infected system without requiring user interaction.
Researchers at G DATA also found significant modifications made to the legitimate ScreenConnect client, including changing its title to "Windows Update" and replacing its background with a fake Windows Update image. These changes are designed to deceive users into believing that the software is legitimate and necessary for their systems.
As a result of these findings, ConnectWise has revoked the certificate used in these malicious binaries, and G DATA is now flagging them as Win32.Backdoor.EvilConwi.* and Win32.Riskware.SilentConwi.*. Despite initial attempts to notify ConnectWise about this campaign, the firm did not respond.
This incident highlights the ongoing threat posed by sophisticated attackers who can exploit legitimate software features to distribute malware. It also underscores the importance of vigilance in the face of phishing attacks and the need for users to be cautious when downloading and installing software from untrusted sources.
In light of these findings, it is essential for IT teams to prioritize patch management and ensure that their systems are up-to-date with the latest security patches. Additionally, users should exercise extreme caution when receiving unsolicited emails or requests for downloads, especially those that appear to be legitimate but seem suspicious.
Moreover, the use of reputable antivirus software can help detect and prevent such malware from running on infected systems. Users who have already fallen victim to this attack are advised to immediately disconnect from the internet and seek professional assistance to remove the malicious software and restore their systems to a safe state.
In conclusion, hackers have successfully exploited the Authenticode signing mechanism in legitimate remote access software to distribute malware, highlighting the need for increased vigilance and improved cybersecurity practices among IT professionals and users alike.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-hijack-legitimate-remote-access-software-to-distribute-malware-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-into-malware-using-authenticode-stuffing/
Published: Wed Jun 25 18:18:16 2025 by llama3.2 3B Q4_K_M
