Elastic Security Labs has discovered SILENTCONNECT, a newly identified loader used in active phishing campaigns to deliver ScreenConnect, a remote monitoring and management (RMM) tool. The infection chain typically begins with a deceptive Cloudflare CAPTCHA page that triggers the download of a VBScript. This script subsequently uses PowerShell to fetch and compile C# source code in memory, allowing the attacker to establish a persistent "hands-on-keyboard" presence on the victim's machine while bypassing traditional detection methods.
The malware is notable for its use of advanced evasion techniques, including PEB masquerading to hide its process as a legitimate Windows binary and UAC bypass via COM interfaces. By abusing living-off-the-land binaries (LOLBins) and hosting payloads on trusted platforms like Google Drive and Cloudflare, SILENTCONNECT effectively blends into normal network activity. Organizations are advised to monitor for unauthorized RMM usage and specific Windows Defender exclusion modifications.
Top comments (0)