Key Summary
- Silent Push Threat Analysts recently observed a rise in the use of ScreenConnect, a remote monitoring and management (RMM) tool, on bulletproof hosts (BPHs). This raises suspicion that threat actors have continued to leverage legitimate software to gain access and control over victims’ endpoints.
- We published our first blog post on ScreenConnect threats in October 2022, which CISA cited in a January 2023 advisory. Since then, we have been tracking the ScreenConnect exploit from CVE CVE-2024-1709, which threat actors have been widely abusing.
- Our discovery of a suspicious domain, filessauploaderchecker[.]com, in the Silent Push Web Scanner, led us to further explore for malicious intent.
- As we continue investigating, we believe potential attackers have been using social engineering to lure victims into installing legitimate software copies configured to operate under the threat actor’s control.
- Today, we are sharing an update on a threat actor group’s campaign that is abusing ScreenConnect to target Social Security recipients, which was first covered in 2024 by other security researchers.
Initial Intelligence
Organizations typically use a single RMM tool to manage their IT assets. However, the discovery of legitimate RMM tools used in cyberattacks can be complicated, as third-party suppliers sometimes use a different RMM tool than their clients when performing technical support or other legitimate activities.
The ScreenConnect software agent typically has a generic name like “ScreenConnect.Client[.]exe” or a similarly structured company-branded name if it has been customized by a subscribing organization. Our research uncovered a suspicious filename that deviates significantly from those conventions, suggesting it has been deliberately altered.
The observed filename from the domain filessauploaderchecker[.]com raises even more suspicion of malicious intent. Captured on VirusTotal (WARNING: this file is likely malicious). The full file name appears as: “Recently_S_S_A_eStatementsForum_Viewr66985110477892_Pdf[.]Client[.]exe”
Our team noted the file name includes the keyword “S_S_A,” a potential reference to “SSA,” aka the Social Security Administration, and the keyword “eStatements,” which alludes to a document someone could be requested to review. The lure essentially appears to be an eStatement from the Social Security Administration—and it is not a PDF but an executable file.
Closer examination of the file reveals it includes terms such as “eStatements,” “Forum,” “Viewr,” and “Pdf[.]client,” which appear to have been designed to resemble document viewing or financial statements. The terms are irrelevant to ScreenConnect agents and are likely crafted to mislead users into thinking the file is harmless.
To complicate defensive actions, Silent Push Threat Analysts believe threat actors have been using various social engineering methods, such as SMS text messages, phone calls, or emails, to get unsuspecting victims to install legitimate copies of the ScreenConnect agent. Once installed, the attackers use the altered installer to quickly gain access to the victim’s files.
Silent Push Threat Analysts were able to craft a unique fingerprint that allows our team to detect a large amount of malicious infrastructure using ScreenConnect. This fingerprint powers our Indicators of Future Attack (IOFA) feed for this threat and will be available to Silent Push enterprise customers.
The Bulletproof Hosting Connection
Bulletproof hosting providers are infamous for turning a blind eye to complaints of malicious or illegal content hosted on their servers. They are known for allowing cybercriminals to operate phishing websites, malware distribution networks, and command and control (C2) infrastructure without interruption.
Typically operating in jurisdictions with weak law enforcement, BPHs frequently leverage offshore locations that shield threat actors from takedowns. While often marketed for privacy and resilience, these providers are notorious for enabling illegal activities, making them a significant challenge for cybersecurity professionals and law enforcement agencies worldwide.
Our team has identified multiple bulletproof hosting providers being utilized by this threat. Filtering by bulletproof providers (easily done via a simple field in our platform while querying) in conjunction with other fingerprinting methods can often prove a useful method to track malicious infrastructure, as threat actors (like all criminals) tend to fall into predictable patterns. For operational security reasons, we have omitted the specific names of each for this blog so as not to tip off the threat actors. We encourage readers to look forward to our larger piece covering bulletproof hosting providers in greater detail and depth coming later this year.
Persistence in Cyberattacks
Threat actors use many techniques to establish persistence and maintain their foothold when working to compromise endpoints. These may include employing Windows services (such as abusing Task Scheduler), malware, misconfiguration, or even attacking an intended victim’s domain as a means to gain access, perform actions, or make configuration changes (such as replacing or hijacking legitimate code or adding startup code for malicious purposes).
| What is persistence in cyberattacks? Mitre ATT&CK, the global knowledge base of adversarial tactics and techniques, describes persistence as an enterprise tactic: “Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.” |
Mitigation
Silent Push Threat Analysts recommend making use of our Enterprise edition to receive the newest IOFAs and enrich the IOFAs in your security solutions to detect, prevent, and respond to future cyberattacks. Our proprietary set of analytics and persistent manual review matches patterns against known malicious examples hosted on BPHs to ensure our IOFAs do not contain false positives.
We are continuously searching to uncover emerging threats from APTs, bulletproof hosting providers, financial crimes, malvertising, and more.
Register for Free Silent Push Community Edition, a free threat hunting and cyber defense tool used by security teams, bug bounty hunters, and researchers that features a range of basic and advanced DNS queries which interrogate the Silent Push database, built from our daily scans of the internet’s global IP range.
Sample List of IOFAs
Silent Push identified several BPH providers in conjunction with this research. We are providing a sample list of IOFAs below:
| Hostname |
|---|
awedinetwork[.]com |
cloudfilesmanger[.]com |
docusignsafe[.]com |
fat7olafat7olas[.]com |
filessauploaderchecker[.]com |
hamadasoltanfans[.]co |
helpmysupport[.]top |
sallysolaro[.]com |
helpmysupport[.]top |
ttlhelp[.]top |
Related Reading
Here are a few more blogs that you may find of interest:
