- Attackers weaponized a .jpeg file to deliver PowerShell payload, trojanize ScreenConnect and establish persistence
- The malware enables credential theft, encrypted C2 communications, and surveillance capabilities
- Cyfirma warns that the campaign reflects a mature intrusion framework
Be careful when downloading files from the Internet, as even innocent .jpeg files can actually contain malware, experts have warned.
Security researchers Cyfirma published an in-depth report on a brand new hacking campaign they called “Operation SilentCanvas”. While we don’t know the number of infections or successful compromised victims, the researchers said the campaign likely targets companies and other organizations that use remote administration tools.
The attack starts when the victim receives the weaponized .jpeg file. Again, we don’t know the exact delivery mechanism, but Cyfirma speculates that the file is delivered either via phishing emails with malicious attachments, deceptive file sharing interactions, or fake software and update lures.
“Professionally engineered and operationally mature intrusion framework”
In any case, when the victim runs the file, called ‘sysupdate.jpeg’, it actually executes a malicious PowerShell payload, which does a number of things: it downloads additional payloads from the attacker’s infrastructure; deploys a trojanized version of ConnectWise ScreenConnect for covert remote access; bypasses Windows security protection and elevates privileges by adding malicious registry entries; and establishes persistence via a fake Windows service named OneDriveServers.
The malware also enables encrypted communication with the command-and-control (C2) infrastructure, stealing credentials and fingerprinting the system. Other supported features include screen recording, microphone recording, and clipboard monitoring.
“The overall craft reflects a professionally developed and operationally mature intrusion framework capable of supporting long-term covert persistence, credential theft, lateral movement, corporate espionage, and potential ransomware deployment in enterprise environments,” Cyfirma concluded, without naming the group or even linking it to a specific country or region.
To defend against this campaign, security experts should keep an eye out for commonly abused Windows binaries, including csc.exe, cvtres.exe, or ComputerDefaults.exe. If possible, these should be blocked completely. Remote access platforms should be strictly controlled and logging rules for suspicious PowerShell behavior should be set up.
Finally, any system showing unexpected ScreenConnect activity should be shut down immediately.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
