Analyzing the Multi-Stage PowerShell Intrusion via Weaponized JPEG and Trojanized ScreenConnect

Cyber adversaries are currently deploying a highly sophisticated, multi-stage attack vector that weaponizes seemingly innocuous JPEG files to deploy a trojanized version of the ConnectWise ScreenConnect remote-access tool. This campaign is designed for stealthy, long-term persistence, enabling full-scale surveillance, credential harvesting, and deep network infiltration on Windows-based enterprise environments.

The complexity of this operation lies in its ability to blend into the noise of legitimate enterprise software, using “living-off-the-land” techniques to bypass traditional perimeter and endpoint defenses.

The Initial Vector: Deceptive Payload Delivery

The intrusion begins with a file masquerading as “sysupdate.jpeg.” While the file extension suggests a standard image, the file does not contain valid JPEG headers or pixel data. Instead, it houses an obfuscated PowerShell script. This tactic exploits the inherent trust users place in image files, allowing the payload to bypass basic extension-based filtering in email gateways and cloud storage platforms.

Upon execution, the embedded PowerShell logic initiates a multi-stage sequence:

  • Staging: The script establishes directory structures on the local system drive to house subsequent payloads.
  • C2 Connection: It reaches out to the attacker-controlled domain legitserver.theworkpc.com via non-standard port 5443 to fetch additional modules.
  • Defense Evasion: To evade detection, the script utilizes heavy string obfuscation and sophisticated AMSI (Antimalware Scan Interface) bypass techniques, ensuring the malicious logic remains resident in memory rather than touching the disk as a static file.

CYFIRMA identified this highly sophisticated campaign, noting that the threat actors employ a “compile-after-delivery” methodology. Rather than dropping a pre-compiled binary, the PowerShell loader invokes the legitimate Microsoft .NET compiler (csc.exe) to compile a custom launcher, uds.exe, directly on the victim’s machine. This approach results in a unique file hash for every single infection, effectively neutralizing signature-based detection and traditional hash-blocking strategies.

Privilege Escalation and Persistence

Once uds.exe is compiled, it seeks to gain SYSTEM-level authority. The malware executes a fileless User Account Control (UAC) bypass. It achieves this by abusing the auto-elevating Windows binary ComputerDefaults.exe in conjunction with a malicious hijack of the ms-settings registry key. By configuring a specific protocol handler and leaving the DelegateExecute value empty, the malware triggers an elevated process without alerting the user with a standard UAC prompt. To maintain a low forensic footprint, the malware immediately scrubs the modified registry keys.

With elevated privileges secured, the attacker establishes persistence by installing a Windows service disguised as “OneDriveServers”. This service serves as the backbone for the primary payload: a modified version of the ScreenConnect client (v25.9.5.9483).

This trojanized client is a masterpiece of deception. It utilizes legitimate, digitally signed ConnectWise binaries to establish a veneer of authenticity, but it loads a tampered, unsigned ScreenConnect.Core.dll. This allows the attacker to hijack the remote-support framework. The C2 communication is further hardened via a hard-coded HostToAddressMap pointing to the IP 45.138.16.64 on port 8041, ensuring connectivity even if DNS-based monitoring is active.

Multi-Stage Infection Chain Overview (Source : CYFIRMA).
Figure 1: Multi-Stage Infection Chain Overview (Source: CYFIRMA).

To protect their activities from network-based inspection, the malware implements a custom PBKDF2-HMAC-SHA256 key-derivation routine. This generates unique, session-specific encryption keys for all inbound and outbound traffic, masking screenshots, keystrokes, and command data.

Operational Capabilities: Beyond Remote Support

The scope of this tool is significantly more aggressive than a standard RMM (Remote Monitoring and Management) suite. Decompiled analysis reveals at least 46 distinct operator capabilities designed for deep espionage:

Decompiled CommandMessage1 and CommandMessage2 class structures (Source : CYFIRMA).
Figure 2: Decompiled CommandMessage1 and CommandMessage2 class structures (Source: CYFIRMA).

Attackers can perform:

  • Live screen viewing and continuous background recording.
  • Microphone/speaker capture and clipboard monitoring.
  • Intercepting print jobs and silent file transfers.
  • Executing commands with SYSTEM-level privileges via hidden desktop sessions.
  • Credential Provider Interception: The malware hooks the Windows logon process to capture credentials directly from the UI before they are processed by LSASS.
  • Account Lifecycle Management: Attackers can silently create hidden administrator accounts or modify existing group memberships without visibility in the standard Windows user interface.
Fileless UAC bypass chain abusing ComputerDefaults.exe (Source : CYFIRMA).
Figure 3: Fileless UAC bypass chain abusing ComputerDefaults.exe (Source: CYFIRMA).

Defensive Recommendations

This campaign highlights a growing trend of threat actors abusing legitimate RMM tools to establish covert backdoors. To defend against this, security teams should adopt the following posture:

  • Restrict PowerShell: Implement Constrained Language Mode and monitor for unusual PowerShell execution from non-admin users or untrusted directories.
  • Hardening: Strengthen UAC policies and monitor registry modifications to sensitive keys like ms-settings.
  • RMM Monitoring: Closely audit all ScreenConnect installations. Alert on any service creation that mimics legitimate services (e.g., “OneDriveServers”) and monitor for connections to the theworkpc.com domain.
  • File Inspection: Enhance email and web gateway inspection to look for non-standard content within image files (e.g., embedded scripts in JPEGs).

INDICATORS OF COMPROMISE (IOCs)

No Indicators of Compromise (IOCs) Type Remarks
1 45[.]138[.]16[.]64 IP Address Block
2 legitserver[.]theworkpc[.]com Sub-Domain Block
3 7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3 SHA256 Block
4 ecd5ed16975d556d1d17bc980f248f8a5262bed11df9d9cf999efd9c273c11df SHA256 Block
5 cea1d85967d2c456fccecae3a70ff2adfe4c113aacf9d18c35906c2ed24ca9b4 SHA256 Block
6 e4c9f3bb4a65c640795bfc1a56c0b56485b849ccd97027eed7ad9aa78a732a4f SHA256 Block
7 ee3d776cdaf82335e4293e19ee313cc35eee49cde9963b96766a8f9c89d44a79 SHA256 Block
8 4d8ac85c5b98c69ba44146df61183e9bf613edd796aa516c3ae73611b7d77c06 SHA256 Block

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

lsUeKYJ wmEwQVpU

Related Articles

Back to top button