Operation SilentCanvas: JPEG File Deploys Trojanized ScreenConnect Malware

Severity: High (Score: 64.5)

Sources: Gbhackers, Cyfirma, Cybersecuritynews

Summary

A sophisticated multi-stage intrusion campaign has been identified, utilizing a weaponized JPEG file named sysupdate.jpeg to deliver a trojanized version of ConnectWise ScreenConnect. The attack likely begins with social engineering tactics such as phishing emails and malicious attachments. Upon execution, the malware creates a staging environment, downloads additional payloads, and uses advanced techniques to evade detection. It employs a custom launcher compiled through Microsoft's .NET compiler and abuses Windows components for privilege escalation. The malware enables remote access, credential theft, and long-term persistence within compromised systems. Affected systems include Windows environments where the malware can blend malicious activity with legitimate software operations. The campaign highlights the risks associated with seemingly innocuous file types and the need for enhanced security measures against such threats. Key Points: • Attack leverages a weaponized JPEG file to deliver malware. • Malware enables remote access and credential theft on Windows systems. • Campaign utilizes advanced evasion techniques to bypass detection.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• Trojan (attack_type)
• Operation Silentcanvas (campaign)
• legitserver.theworkpc.com (domain)
• 45.138.16.64 (ipv4)
• ScreenConnect (tool)
• Csc.exe (tool)
• PowerShell (tool)
• 7DD05336097E5A833F03A63D3221494F (md5)
• T1003 - OS Credential Dumping (mitre_attack)
• T1021 - Remote Services (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1105 - Ingress Tool Transfer (mitre_attack)
• Windows (platform)
• A635F0C94C98B658AE799978994F0D0A292567CD97B8A19068A8423D1297652A (sha256)