Cybercriminals are leveraging ConnectWise ScreenConnect installers to spread remote access malware by manipulating hidden configuration data embedded in the file’s digital signature.
This method, known as Authenticode stuffing, involves altering the certificate table within the signed installer without breaking its valid digital signature. G DATA researchers found that attackers used this trick to modify the ScreenConnect client so that it secretly connects to their command servers, with fake Windows Update visuals and labels used to disguise the malware.
These malicious versions were distributed via phishing campaigns using PDFs or Canva links, with payloads hosted on Cloudflare's R2 platform. Reports of infections surfaced on online forums, and one notable file connected victims to a UK-based malicious domain.
Although ConnectWise revoked the certificate after being notified, G DATA claims they received no direct response from the company. In a related case, trojanized SonicWall VPN clients have also been observed stealing credentials, underscoring the importance of downloading software only from trusted sources.
Read more...