====================
== Alert Overload ==
====================
Tales from a SOC analyst

ScreenConnect

ScreenConnect

This writeup was originally produced for internal enterprise documentation and has been stripped of some details.

Initial Detection Events

The alert came from a concierge security service for the download and execution of an actor controlled ScreenConnect RMM Tool. The process was not blocked by EDR. SOC investigation concluded that the user executed a malicious application that may have installed ScreenConnect for malicious access to the device.

Manual Incident Review and Attribution

The investigation began by correlating the detection events to the custom DNS query in the SIEM. It was determined that voicemail-lakeleft[.]top was the source of the initial payload.

#repo=base_sensor cid="*"  | in(#event_simpleName, values=[DnsRequest, SuspiciousDnsRequest, *FileWritten]) | ContextBaseFileName = "chrome.exe" or ContextBaseFileName = "firefox.exe" or ContextBaseFileName =  "msedge.exe" | Time := formatTime("%FT%TZ", field=timestamp, timezone= "America/Chicago")  | table(["Time","#event_simpleName","ComputerName","Agent IP","LocalAddressIP4","DomainName", "ContextImageFileName", "FilePath","FileName","OriginalFilename","ContextProcessId"], limit=5000) | sort(Time, limit=5000)

The page appears to be some form of login for a Secure Server on initial view.

However, the site is hosting a ScreenConnect application that attempts to launch when the correct subpage is accessed.

alt text

This application downloads and executes a Windows ScreenConnect executable [Tria.ge Report]. This executable is an adversary controlled Remote Monitoring and Management Tool that may be used to access the device.

The specific file that was downloaded by the user in the intial detection was sourced from a separate subpage (hxxps[://]voicemail-lakeleft[.]top/Bin/monthly-eStatementForum(96140844105).Client.exe). This download operates in the same manner as above, installing and launching a ScreenConnect instance on the device [Tria.ge Report].

Analysis of both samples indicates malicious activity. This analysis will focus on the second sample that was observed during the detection events. VirusTotal analysis marks the executable as a malicious RAT with the hacktool.connectwise label [VirusTotal]

alt text

This matches with observed activity in both the detection event and SOC analysis. The malicious executable was also run through Invoke-PEAnalysis and it was determined that the exectuable was likely packed as an evasion/anti-RE measure.

alt text

Furthermore, the exectuable is digitally sigend with a valid signature. As with most incidents of this type, the adversary is likely abusing a legitimate RMM tool for malicious purposes.

alt text

After installation, the ScreenConnect instance reaches out to popwee2[.]zapto[.]org. This is likely adversary-controlled C2 infrastructure.

alt text

PCAP analysis shows significant traffic to the domain. However, all traffic is encrypted, preventing further analysis.

alt text

At the time of writing this, the host has remained offline. More details will be added once the host is online and can be enumerated for active ScreenConnect instances or other artifacts. Currently, the Asset Details console does not indicate a successful, persistent, installation.

Update The ScreenConnect instance did not persist after reboot. Furthermore, the host did not have any connections to the C2 domain. The ScreenConnect instance ran for approximately 2 hours before detection.

There were some cool pictures here, but they got taken out :(

Given the related WerFault ProcessRollup event, it may be possible that the process errored out and failed to correctly install itself. This may be why there is no contact with the C2 domain.

As a result of this investigation, the intial payload domain and the C2 domain have been added to the Global Block list in Umbrella.

Attack Chain

alt text