CP
cyberpings
Malware & RansomwareHIGH

Malware - SILENTCONNECT Delivers ScreenConnect Tool

ELElastic Security Labs
SILENTCONNECTScreenConnectPowerShellmalwareRMM
🎯

Basically, SILENTCONNECT is malware that secretly installs a tool to control your computer.

Quick Summary

A new malware named SILENTCONNECT stealthily installs the ScreenConnect RMM tool on victims' machines. It primarily targets users through phishing emails, raising significant security concerns. Organizations must stay vigilant against such threats to protect their systems.

What Happened

Elastic Security Labs has uncovered a new malware loader named SILENTCONNECT. This multi-stage loader is designed to silently deploy the ScreenConnect remote monitoring and management (RMM) tool. The infection begins with users being misled to a Cloudflare Turnstile CAPTCHA page, disguised as a digital invitation. When users click the link, a VBScript file is downloaded to their machine, which initiates a chain of events leading to the installation of malicious software.

The process starts with the execution of a VBScript that retrieves C# source code. This code is compiled and executed in memory using PowerShell. The final payload, ScreenConnect, allows attackers to gain hands-on access to victim machines, raising significant security concerns for organizations.

Who's Being Targeted

The SILENTCONNECT campaign primarily targets users through phishing emails. These emails often impersonate legitimate proposals, enticing recipients to click on malicious links. For instance, one email sample, titled "YOU ARE INVITED.eml", was found to be sent from a fake account, inviting users to submit proposals. This approach effectively lures victims into downloading the malware.

Additionally, the attackers exploit trusted hosting services like Google Drive and Cloudflare to distribute their malicious payloads. By using these platforms, they evade detection and make it challenging for security measures to block the malicious content.

Signs of Infection

Victims of SILENTCONNECT may notice unusual behavior on their systems, such as unexpected installations or the presence of the ScreenConnect software. The malware employs various evasion techniques, including User Account Control (UAC) bypass and Process Environment Block (PEB) masquerading, to remain undetected. Security alerts may trigger when the initial VBScript is executed, but many users may overlook these warnings.

Organizations should be vigilant for signs of unauthorized RMM usage, as the presence of tools like ScreenConnect can indicate a compromised system. Regular audits and monitoring are essential to detect such infections early.

How to Protect Yourself

To safeguard against SILENTCONNECT and similar malware, users should adopt several best practices:

  • Be cautious with email invitations: Verify the sender's identity and avoid clicking on suspicious links.
  • Implement security software: Use comprehensive security solutions that can detect and block malware before it executes.
  • Educate employees: Regular training on recognizing phishing attempts can greatly reduce the risk of infection.
  • Monitor network traffic: Keep an eye on connections to known malicious domains or unusual traffic patterns.

By staying informed and proactive, individuals and organizations can better protect themselves against the evolving threat landscape posed by malware like SILENTCONNECT.

🔒 Pro insight: SILENTCONNECT's use of trusted platforms for payload delivery highlights the need for advanced detection mechanisms in enterprise environments.

Original article from

Elastic Security Labs

Read Full Article

Share

Related Pings

CRITICALMalware & Ransomware

Ransomware - Interlock Exploits Cisco Zero-Day Flaw

A serious flaw in Cisco's Secure Firewall Management Center has been exploited by the Interlock ransomware gang for over a month. Organizations must patch their systems to avoid potential breaches and data loss. Swift action is crucial to safeguard against these evolving threats.

BleepingComputer·
CRITICALMalware & Ransomware

Interlock Ransomware - Exploiting Cisco FMC Zero-Day Flaw

A new ransomware campaign is exploiting a critical flaw in Cisco's software. Organizations using Cisco FMC are at risk of severe breaches. Immediate patching and security assessments are crucial to protect against this threat.

The Hacker News·
HIGHMalware & Ransomware

Ransomware - Marquis Reports Data Theft of 672K Individuals

Marquis, a Texas financial services firm, suffered a ransomware attack affecting over 670,000 individuals. The breach compromised sensitive personal data, raising serious security concerns. Affected individuals should monitor their accounts closely and take protective measures.

BleepingComputer·
HIGHMalware & Ransomware

Malware - New Campaigns Turn Devices Into DDoS and Mining Bots

New malware campaigns are hijacking network devices for DDoS attacks and crypto-mining. Routers and IoT devices are at risk, making immediate action essential. Protect your infrastructure to avoid exploitation.

Cyber Security News·
HIGHMalware & Ransomware

Malware - Iranian Hackers Used Stolen Credentials in Stryker Breach

A significant cyberattack on Stryker by Iranian hackers has disrupted operations globally. The attackers exploited stolen credentials, raising serious security concerns. Stryker is working to restore affected systems while authorities investigate the breach.

SecurityWeek·
HIGHMalware & Ransomware

Vidar Stealer 2.0 - Malware Delivered via Fake Game Cheats

A new malware campaign is exploiting fake game cheats on GitHub and Reddit to deliver Vidar 2.0. Gamers are at risk as they unknowingly install this dangerous infostealer. Stay informed and protect your data from these evolving threats.

Infosecurity Magazine·