Hackers have used a popular remote access tool to sneak malware onto PCs by uploading hidden code inside its digital signature.

Ever the innovators, a gang of cybercriminals have found a way to turn ScreenConnect into a dangerous weapon. Typically used by IT professionals for remote support, ScreenConnect has been repurposed for nefarious means by hackers. By tampering with the tool’s digital signature, they’ve managed to stealthily include malicious code within the tool. And the manner in which they’ve executed this has allowed their tampered version of ScreenConnect to pass security checks.

Remote support tools are crucial in IT support and your business is likely to use similar software to ScreenConnect. Therefore, it’s vital that you understand how ScreenConnect was hacked.

How Did a Trusted App Become a Cyber Threat?

One of the features of ScreenConnect is that it allows organizations to customize their installer by including connection details. This ensures that information such as a support server address or company logo can be included, without any need to re-sign the file. A technique known as authenticode stuffing is used to achieve this, ensuring that any extra information is uploaded to the app’s digital certificate area. Usually, this poses few problems. However, in the case of this attack, the tool’s signature appears valid but contains malicious coding.

The hackers behind the ScreenConnect have exploited authenticode stuffing to enable them to inject their malware into the app’s certificate. To the average PC user, ScreenConnect will appear to be working as it should. Underneath the surface, though, ScreenConnect is connecting to remote services controlled by the attackers. And none of this is picked up by antivirus tools – the app is verified as trustworthy due to the signature being intact.

The attack used numerous phishing campaigns to target victims. Links were emailed out which appeared to be related to PDFs or Canva pages. But, when clicked, these links downloaded an executable titled “Request for Proposal.exe” which contained zero proposals. Instead, it installed the modified and malicious version of ScreenConnect. And this is how hackers gained remote access to the victim’s PCs. To avoid raising suspicion, the malware even displayed a fake Windows Update screen. While users thought their computer was updating, the attackers were taking control of their PC behind the scenes. This allowed them to view files, monitor activity, and install further malware.

What You Can Start Doing Today to Stay Safe

 

It’s important to protect the security of your IT infrastructure, so handing remote access over to cybercriminals is the last thing you want to do. Luckily, Ophtek are here to provide you with three simple ways to keep your networks safe:

1. Only Download from Trusted Sources: If you ever need to download remote support tools, always head straight for the official website. Links contained within emails or PDFs should never be trusted as they could easily start downloading malware.
2. Be Suspicious of Popups: If a popup screen appears – such as a Windows Update one – this should ring alarm bells, especially if you haven’t been pre-warned that an update is due. In these cases, immediately disconnect the PC from the internet and contact an IT professional.
3. Look Out for Suspicious Activity: After installing new software, you should always be mindful of keeping an eye out for unusual activity on your PC. If, for example, you notice your mouse moving when you’re not touching it or programs opening and closing in the background, you should investigate these immediately.

For more ways to secure and optimize your business technology, contact your local IT professionals.