- The attackers used a .jpeg file to deliver PowerShell payloads, used a ScreenConnect Trojan, and established persistence.
- The malware enables credential theft, encrypted C2 communications, and monitoring features.
- Cyfirma Warns Campaign Reflects Mature Intrusion Framework
Be careful when downloading files from the internet, as even innocent .jpeg files can contain malware, experts have warned.
Security researchers Cyfirma have released a detailed report on a brand new hacking campaign they’ve dubbed “Operation SilentCanvas.” Although we don’t know the number of infections or the number of compromised victims, researchers said the campaign likely targets businesses and other organizations using remote administration tools.
The attack begins when the victim receives the weaponized .jpeg file. Again, we don’t know the exact delivery mechanism, but Cyfirma assumes that the file is delivered either via phishing emails containing malicious attachments, deceptive file sharing interactions, or fake software and updates.
“Professional designed and operationally mature intrusion framework”
In any case, when the victim executes the file named “sysupdate.jpeg”, they are actually executing a malicious PowerShell payload that does a number of things: it downloads additional payloads from the attacker’s infrastructure; deploys a trojanized version of ConnectWise ScreenConnect for covert remote access; bypasses Windows security protections and elevates privileges by adding malicious registry entries; and establishes persistence through a fake Windows service named OneDriveServers.
The malware also enables encrypted communications with command and control (C2) infrastructure, steals credentials, and fingerprints the system. Other supported features include screenshot, microphone capture, and clipboard monitoring.
“The entire project reflects a professionally designed and operational intrusion framework capable of supporting long-term covert persistence, credential theft, lateral movement, corporate espionage, and potential deployment of ransomware in enterprise environments,” Cyfirma concluded, without naming the group, or even tying it to a specific country or region.
To defend against this campaign, security experts should keep an eye on commonly used Windows binaries, including csc.exe, cvtres.exe, or ComputerDefaults.exe. If possible, these should be completely blocked. Remote access platforms should be strictly monitored and rules to detect suspicious PowerShell behavior should be in place.
Finally, any system that displays unexpected ScreenConnect activity should be shut down immediately.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
