- Attackers weaponized a .jpeg file to deliver PowerShell payloads, trojanized ScreenConnect, and establish persistence
- The malware enables credential theft, encrypted C2 comms, and surveillance features
- Cyfirma warns the campaign reflects a mature intrusion framework
Be careful when downloading files from the internet, as even innocent .jpeg files can actually contain malware, experts have warned.
Security researchers Cyfirma published an in-depth report on a brand new hacking campaign they named “Operation SilentCanvas”. While we don’t know the number of infections, or successfully compromised victims, the researchers said the campaign likely targets enterprises and other organizations using remote administration tools.
The attack starts when the victim receives the weaponized .jpeg file. Again, we don’t know the exact delivery mechanism, but Cyfirma speculates the file is delivered either via phishing emails with malicious attachments, deceptive file-sharing interactions, or fake software and update lures.
"Professionally engineered and operationally mature intrusion framework"
In any case, when the victim runs the file, named ‘sysupdate.jpeg’, it actually executes a malicious PowerShell payload which does a number of things: it downloads additional payloads from the attacker’s infrastructure; deploys a trojanized version of ConnectWise ScreenConnect for covert remote access; bypasses Windows security protections and elevates privileges by adding malicious Registry entries; and establishes persistence via a fake Windows service named OneDriveServers.
The malware also enables encrypted communications with the command-and-control (C2) infrastructure, steals credentials, and fingerprints the system. Other supported features include screen capture, microphone capture, and clipboard monitoring.
“The overall tradecraft reflects a professionally engineered and operationally mature intrusion framework capable of supporting long-term covert persistence, credential theft, lateral movement, enterprise espionage, and potential ransomware deployment within enterprise environments,” Cyfirma concluded, without naming the group, or even linking it to a specific country, or region.
To defend against this campaign, security experts should keep an eye on commonly abused Windows binaries, including csc.exe, cvtres.exe, or ComputerDefaults.exe. If possible, these should be blocked entirely. Remote access platforms should be strictly controlled, and detection rules for suspicious PowerShell behavior set up.
Finally, any system that displays unexpected ScreenConnect activity should be sealed off immediately.
