Threat Actors Exploit ConnectWise Configuration to Create Signed Malware
Threat actors have increasingly exploited vulnerabilities and configurations in ConnectWise software to distribute signed malware, masquerading as legitimate applications.
Initially observed in February 2024 with ransomware attacks linked to vulnerabilities CVE-2024-1708 and CVE-2024-1709, the abuse escalated by March 2025 under the moniker “EvilConwi”.
This new wave of attacks leverages ConnectWise’s ScreenConnect tool, manipulating its certificate table via Authenticode stuffing a technique that allows modifications to executables without invalidating signatures.
This method, while often used benignly by developers for minor updates, has been hijacked by malicious entities to embed custom configurations, enabling remote access malware that mimics trusted software like Zoom, Adobe, or even Windows updates, thereby deceiving users into unknowingly granting access to their systems.
A Rising Wave of Remote Access Threats
The infection often begins with phishing emails or deceptive advertisements on platforms like Facebook, directing victims to malicious sites or links on services like OneDrive and Canva.
These links prompt users to download ConnectWise installers disguised as innocuous files, which then display fake Windows update screens or exhibit erratic mouse behavior, as reported on forums like BleepingComputer and Reddit.
A deeper technical analysis reveals that attackers abuse unauthenticated attributes in the certificate table of ConnectWise samples to store launch parameters, connection URLs, ports, icons, and even custom messages or background images.
These configurations can disable visible indicators such as tray icons or connection notifications, ensuring the remote connection remains hidden while attackers operate undetected.
For instance, specific samples have been found to override application titles and icons with Google Chrome imagery or fake update notifications, tricking users into keeping their systems online during exploitation.
Technical Misuse
Further investigation into ConnectWise samples using tools like PortexAnalyzer and AuthenticodeLint has shown discrepancies solely in the certificate table, confirming Authenticode stuffing as the primary vector for customization.
According to G DATA Report, this misuse poses a significant challenge since the embedded settings directly influence the software’s behavior, allowing threat actors to craft highly convincing malware signed by a trusted entity.
Cybersecurity experts have noted that settings in files like app.config often disable alerts such as “ShowBalloonOnConnect” or “HideWallpaperOnConnect,” rendering the connection invisible to users.
In response, defenders are urged to implement strict detection rules, such as YARA signatures targeting these suspicious configurations, and to monitor for fake icons or titles embedded in .NET resources.
GDATA products, for instance, now flag such samples as Win32.Backdoor.EvilConwi.* or Win32.Riskware.SilentConwi.*.
ConnectWise was contacted about these issues on June 12, 2025, and subsequently revoked the implicated signature by June 17, though no official statement has been issued as of this report’s publication.
Indicators of Compromise (IoCs)
| Infection Vector | Sample Hash |
|---|---|
| Fake Installer (Zoom) | 540c9ae519ed2e7738f6d5b88b29fb7a86ebfce67914691ce17be62a9b228e0a |
| Fake Document (PDF) | 98e3f74b733d4d44bec7b1bf29f7b0e83299350143ff1e05f0459571cb49c238 |
| Fake Video Client (Canva) | 6aa1b9f976624f7965219f1a243de2bebb5a540c7abd4d7a6d9278461d9edc11 |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
