Listen to this Post
Introduction
A recent technical investigation uncovered a customized version of ScreenConnect Client being used as a Remote Access Trojan (RAT). The payload contained an embedded session token, enabling automatic connections to an active relay without user interaction. This analysis explores the malware’s behavior, detection methods, and mitigation strategies.
Learning Objectives
- Understand how attackers abuse legitimate tools like ScreenConnect for malicious purposes.
- Learn key forensic techniques for analyzing RAT payloads.
- Discover mitigation strategies against ScreenConnect-based attacks.
You Should Know
1. Hash Verification & Threat Intelligence
Command:
sha256sum ScreenConnect.Client.exe
Output:
127db5291c273d08644dc9b203acdce550ae1cc749aad3ff22b12cf273c4a853
Step-by-Step Guide:
- Use `sha256sum` (Linux) or `certutil -hashfile` (Windows) to verify file integrity.
- Cross-reference the hash with threat intelligence platforms like AlienVault OTX or Hybrid Analysis.
- No prior matches suggest a zero-day or unpublished campaign.
2. Network Traffic Analysis with Wireshark
Command:
wireshark -k -i eth0 -Y "ip.addr == 147.75.85.202"
Step-by-Step Guide:
- Launch Wireshark and filter traffic to suspicious IPs.
- Observe connections to 147.75.85.202 (malicious relay) and 98.64.238.3 (legitimate Microsoft IP).
- Export suspicious traffic for further analysis.
3. Digital Signature Check (Revoked Certificate)
Command (Windows):
sigcheck.exe -a -v ScreenConnect.Client.exe
Step-by-Step Guide:
- Run `sigcheck` (Sysinternals) to verify digital signatures.
- A revoked certificate indicates tampering or malware.
4. Entropy & Overlay Analysis
Command (Linux):
binwalk -E ScreenConnect.Client.exe
Step-by-Step Guide:
- High entropy suggests packing or encryption.
- Extract overlay data using:
dd if=ScreenConnect.Client.exe of=overlay.bin bs=1 skip=<offset>
5. String Extraction for Hidden Payloads
Command (Windows):
strings.exe /u ScreenConnect.Client.exe.Overlay.bin > unicode.txt strings.exe ScreenConnect.Client.exe.Overlay.bin > ascii.txt
Step-by-Step Guide:
- Extract Unicode/ASCII strings from overlay.
- Look for hardcoded tokens, URLs, or C2 domains (e.g.,
hxxps://lnkd.in/dH4tvkEy).
6. Multi-Engine Sandbox Detection
Tools:
- Hybrid Analysis
- VirusTotal
Step-by-Step Guide:
- Submit the sample to sandbox environments.
- 25/72 engines flagged it as malicious, confirming RAT behavior.
7. Mitigating ScreenConnect Exploits (CVE-2024-1708)
Patch Command (Linux):
sudo apt update && sudo apt upgrade screenconnect
Step-by-Step Guide:
- CVE-2024-1708 (CVSS 10.0) allows authentication bypass.
- Apply the latest patches from ConnectWise.
- Restrict ScreenConnect access via firewall rules.
What Undercode Say
- Key Takeaway 1: Attackers increasingly abuse legitimate remote access tools for stealthy persistence.
- Key Takeaway 2: Forensic analysis (network, strings, entropy) remains critical for uncovering hidden malware.
Analysis:
The ScreenConnect RAT demonstrates how attackers repurpose trusted software, bypassing traditional AV detection. Organizations must monitor network traffic, verify digital signatures, and patch promptly to mitigate such threats.
Prediction
As RATs evolve, expect more fileless and signed malware abusing enterprise tools. Proactive threat hunting and behavioral detection will be essential in 2024–2025.
This article provides actionable insights for SOC analysts, incident responders, and cybersecurity professionals defending against RAT-based intrusions. Stay vigilant! 🚨
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Maor Zissu – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
