ScreenConnect Hijacking: Hackers Exploit Fake Social Security Emails to Control PCs
Cyberattacks Targeting Organizations in the UK, US, Canada, and Northern Ireland
A recent wave of cyberattacks has been targeting organizations in the UK, US, Canada, and Northern Ireland, using a clever technique to bypass Windows security and gain total control of private computers.
Attack Technique
The attackers are impersonating the US Social Security Administration (SSA) and using fake emails to trick victims into opening malicious attachments.
The attack begins with an email that appears to be from the SSA, but contains red flags such as a fake domain name (SSA.COM) and a misspelling of the word “Statement” as “eStatemet”.
If the victim opens the attached script, it begins to sabotage the computer’s defenses. The script uses a technique called PowerShell auto-elevation to gain administrator powers, and then kills Windows SmartScreen, the system that normally blocks suspicious apps from running.
Script Modifications
The script also modifies the computer’s registry to strip away the Mark-of-the-Web, a digital tag that Windows uses to identify files from the internet. Additionally, it uses Alternate Data Streams (ADS) to hide its tracks.
With these alerts disabled, the attackers can install an MSI file without triggering any warnings on the screen.
Remote Access Trojan (RAT)
The script installs a version of ConnectWise ScreenConnect, a legitimate tool used for IT support, but in this case, it is being used as a Remote Access Trojan (RAT) to maintain a permanent backdoor into the network.
The software is hardcoded to call back to a specific server located in Iran, and uses a revoked security certificate to appear legitimate to some security tools.
Targeted Sectors
The attackers are specifically targeting high-value data sectors such as government, healthcare, and logistics, and are using the script to force a restart of the Windows Explorer process to ensure that the security changes take effect immediately.
Security Recommendations
This discovery highlights a growing trend of cybercriminals hijacking legitimate tools used by IT departments, rather than writing new malware. To stay protected, security experts recommend treating every unexpected government attachment as a potential threat to the network.
The attackers are using a version of ScreenConnect that is hardcoded to call back to a specific server located at dof-connecttop, which is hosted on the network of The Aria Shatel Company Ltd in Iran. The software is version 25.2.4.9229, which carries a revoked security certificate. The use of a signed but cancelled certificate helps the malware to appear legitimate to some security tools.
About Author
English