Elastic Security Labs has identified a new loader named SILENTCONNECT used in malicious campaigns to deliver the ScreenConnect remote monitoring and management (RMM) tool. The infection chain typically starts with phishing emails leading to a Cloudflare Turnstile CAPTCHA page. Once verified, a VBScript file is downloaded, which eventually executes a C# payload in memory via PowerShell, leveraging legitimate hosting services like Google Drive and Cloudflare R2 to evade detection.
SILENTCONNECT stands out for its use of sophisticated evasion techniques, including PEB masquerading, where it overwrites its module information to appear as a legitimate system process like winhlp32.exe. It also employs UAC bypasses via the CMSTPLUA COM interface and adds Microsoft Defender exclusions to ensure persistence. By abusing living-off-the-land binaries (LOLBins) and trusted RMM tools, the attackers can maintain a "hands-on-keyboard" presence while blending in with normal administrative activities.
Top comments (0)