Key Takeaways
- Cyble Research and Intelligence Labs (CRIL) detected a continuous phishing effort aimed at the cryptocurrency community and healthcare organizations in the US.
- The campaign’s focus on both cryptocurrency individuals and healthcare entities suggests a wide-reaching and potentially significant threat.
- Threat Actors (TAs) are using phishing sites to distribute ScreenConnect, a legitimate remote support tool by ConnectWise Inc., for malicious purposes.
- This campaign employs tactics like subdomain takeover to host phishing sites, demonstrating the attackers’ sophistication.
- By exploiting ScreenConnect, TAs gain unauthorized access to victim systems, enabling them to conduct further malicious operations.
- There is a notable pattern of TAs repeatedly targeting the healthcare sector via ScreenConnect, indicating a focused exploitation of this sector’s vulnerabilities.
Overview
Recently, CRIL observed a significant uptick in the number of samples submitted to VirusTotal under the file name “screenconnect”. Upon initial investigation, we discovered that a majority of these samples are ScreenConnect clients controlled by TAs. This observation raises concerns as it indicates a potential trend of malicious usage or exploitation of ScreenConnect software by TAs for unauthorized or nefarious activities.
ConnectWise ScreenConnect is a widely used remote support and administration tool compatible with Linux, Windows, and Mac systems. It is commonly employed by IT professionals and Managed Service Providers (MSPs). ScreenConnect enables users to securely connect to client devices, remotely view desktops, transfer files, engage in user chats, and execute various administrative tasks, effectively simulating physical presence at the machine.
The image below shows the count of Screenconnect sample submissions to VirusTotal over the past three months.
Figure 1 – Screenconnect files observed in the last 3 months
Upon noticing this increase in the usage of the ScreenConnect tool, our research team carried out an in-depth investigation to determine the underlying factors driving this surge. As a result, CRIL discovered an ongoing phishing campaign where TAs have employed phishing websites closely resembling genuine cryptocurrency platforms and healthcare entities, primarily targeting individuals located in the United States.
Furthermore, we have observed an instance where TAs have utilized subdomain takeover to host phishing pages. The image below shows a phishing site from this campaign hosted using subdomain takeover.
Figure 2 – Phishing Site Hosted Using Subdomain Takeover
When users navigate to these phishing sites and click on appealing offers or applications for installation, they unwittingly fall victim to the ScreenConnect server controlled by TAs.
After the machine is compromised, TAs may exploit ScreenConnect features to covertly extract sensitive data or deploy malware for subsequent cyber operations.
Campaign analysis
The analysis of this campaign has revealed a concerning pattern involving the detection of numerous phishing sites targeting a diverse array of victims. These sites display a dual nature, with some pretending to be cryptocurrency platforms while others mimic entities associated with healthcare sectors. However, despite the varied site names and apparent themes, the files being downloaded upon interaction share a common trait—they are named after cryptocurrencies.
Examples of a few phishing sites identified as part of this campaign include:
- hxxps://rollecoin[.]online
- sgacor.kenparkmdpllc[.]com
File names associated with this campaign include:
- Windows-Rollercoin.exe
- CryptoNex200%24Voucher.exe
Phishing campaign targeting Cryptocurrency users
During our analysis of the phishing site “hxxps://rollecoin[.]online/“, it became evident that its design closely resembles the legitimate website “rollercoin[.]com“. The legit site offers users an engaging online Bitcoin mining simulator game, providing them with the opportunity to earn real cryptocurrency while playing. The following image shows both the legitimate website and the phishing site.
Figure 3 – Legit site (Top) and Phishing site(bottom)
By utilizing this phishing site, TAs trick visitors into thinking they are interacting with the genuine platform. However, rather than offering a legitimate gaming experience, it likely employs deceptive methods to entice users into downloading ScreenConnect client files.
In another instance, we came across multiple websites hosted within the same domain, all of which purported to offer free cryptocurrency coins to users who played their games. These websites, located at the domain “minerclouds[.]xyz,” included “minerclouds[.]xyz/addcoin/,” “minerclouds[.]xyz/autoclaim/,” and “minerclouds[.]xyz/blocks/.” They were designed with the intention of targeting cryptocurrency enthusiasts.
The underlying premise of these sites was to entice users with the promise of earning cryptocurrency rewards simply by using the simulator/game. However, upon closer examination, it became evident that these websites were fraudulent, seeking to deceive users into downloading ScreenConnect clients.
The image below shows a collage featuring several phishing sites hosted on the ‘minerclouds[.]xyz’ domain, highlighting the prevalence and sophistication of such deceptive schemes within the cryptocurrency community.
Figure 4 – Several phishing sites hosted on a single domain
Phishing campaign targeting healthcare entities
In the second phishing campaign, the primary targets are healthcare entities via a fraudulent site hosted using a subdomain takeover, masquerading under “sgacor.kenparkmdpllc[.]com”. Notably, the main domain, “kenparkmdpllc.com”, is affiliated with a healthcare clinic based in the US. The image below shows the phishing site hosted using subdomain takeover.
Figure 5 – Phishing site 1 targeting healthcare entities
The next phishing site identified is “cloudmine[.]online/CloudMine”, which impersonates the authentic CloudMine platform. This platform offers secure data enablement solutions for healthcare and pharmaceutical organizations. However, this deceptive site lures users into downloading the ScreenConnect client controlled by the TAs. The figure below shows that the phishing site capitalizes on the trust associated with CloudMine services to trick targeted users into downloading ScreenConnect files.
Figure 6 – Phishing site 2 targeting healthcare entities
Technical Analysis of ScreenConnect Client
Upon executing the downloaded TA-controlled ScreenConnect client file, it results in the deployment of a Microsoft Installer file (MSI) named “setup.msi”, which is dropped in the %temp% directory. The below image shows the extracted contents of the .msi file.
Figure 7 – Extracted content of the setup,msi file
This setup.msi file facilitates the installation of the ScreenConnect service on the victim machine.
The ScreenConnect service is executed with a launch parameter hardcoded within one of the components found in the MSI file, as highlighted in Figure 7. The image below displays the client service launch parameters when launched.
Figure 8 – Screenconnect client launched with predefined parameters
Each session of ScreenConnect is initialized using the Client Launch Parameters. The parameters are detailed in the table below.
Parameter | Description |
e=Access | The type of session (Support, Meet, or Access) |
y=Guest | The session’s participant type (Guest or Host) |
h=instance-xxxxxx-relay.screenconnect.com | URI to reach the server’s relay service |
p=443 | Port on which the relay service operates |
s=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | The GUID is used to identify the client to the server |
k | The encryption key used to verify the server’s identity |
v | Unknown |
These parameters enable the TAs to determine which target has been infected or the source of the infection. Once the server accepts the client, TAs may exploit ScreenConnect features to stealthily extract sensitive data or deploy malware for further cyber operations.
In our scenario, we have not detected any active communication between the server and the client, leaving us uncertain about the next stage of the attack.
Previous Incidents Involving ScreenConnect
- In February 2021, Anomali’s blog highlighted suspicions that Static Kitten may be exploiting ScreenConnect features to either extract sensitive data or aid in the dissemination of malware for subsequent cyber activities.
- In May 2022, Blackpoint detected an incident involving the deployment of BlackCat/ALPHV ransomware via ScreenConnect.
- In November 2023, researchers at the managed security platform Huntress identified attacks leveraging ScreenConnect. They observed these attacks on endpoints belonging to two separate healthcare organizations, along with signs of network reconnaissance in preparation for further attack escalation.
Conclusion
The recent surge in the usage of ScreenConnect, coupled with the discovery of a sophisticated phishing campaign, emphasizes the critical need for bolstered cybersecurity measures. The abuse of legitimate software by TAs for malicious purposes not only highlights the evolving landscape of cyber threats but also underscores the severity of such attacks, especially when targeting healthcare organizations.
Once compromised, systems become vulnerable to exploitation by TAs, thereby posing multifaceted risks ranging from data theft to Threat Actors gaining access to sensitive information and the deployment of ransomware and other forms of malicious software.
These threats can have far-reaching consequences, including financial losses, reputational damage, and disruptions to critical healthcare services, ultimately jeopardizing patient safety and privacy. Therefore, healthcare organizations must implement robust cybersecurity protocols, including regular security assessments, employee training programs, and the widespread use of advanced threat detection and response mechanisms, to mitigate the risks posed by evolving cyber threats.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Instruct users to refrain from opening untrusted links without verifying their authenticity.
- Do not download applications from unknown sources.
- Monitor for suspicious activities like TAs installing additional tools or software into the system.
- Healthcare organizations must acknowledge the seriousness of such intrusions and take unified actions to protect their infrastructure.
- Organizations should conduct regular security awareness and infosec training sessions for their workforce to educate them about phishing attacks, their impact, and how to recognize fraudulent websites.
MITRE ATT&CK® Techniques
Tactic | Technique | Procedure |
Initial Access (TA0001) | Phishing (T1566.002) | TAs send Unwanted ScreenConnect clients via phishing websites |
Execution (TA0002) | User Execution (T1204) | Users need to manually execute the downloaded file |
C&C (TA0011) | Remote Access Software (T1219) | TAs use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. |
Indicators of Compromise (IOCs)
Indicators | Indicators Type | Description |
hxxps://rollecoin[.]online/download[.]html | URL | Phishing site |
hxxps://cloudmine[.]online/CloudMine/CloudMine1_5[.]exe?e=Access&y=Guest | URL | Phishing site |
hxxps://sgacor[.]kenparkmdpllc[.]com/ | URL | Phishing site |
hxxps://minerclouds[.]xyz/ | URL | Phishing site |
Claimbloacks[.]xyz | Domain | Phishing site |
Addonswallet[.]lat | Domain | Phishing site |
03b9ee39f5316efe71b0c915374da7d3d4b393ed402d4fe6b57cbc38ac60783b | SHA256 | ScreenConnect Client downloaded from rollecoin |
e594dc53d2bf4518632e9ca4308a11a0b10409f035554255bbdc7e3f577fe585 | SHA256 | ScreenConnect Client downloaded from cloudmine |
afd0c82318a32f3a82bbc8320e03e33ee84e3fb3c8a64b3fe06a48fc37682dae | SHA256 | ScreenConnect Client downloaded from minerclouds |
instance-anbr85-relay.screenconnect[.]com instance-b5lwpw-relay.screenconnect[.]com instance-oisw57-relay.screenconnect[.]com | Relay server | URI to reach the server’s relay service |