In a newly identified cyberattack, hackers are leveraging seemingly innocent JPEG files to infiltrate Windows systems with malware. This sophisticated operation, dubbed Operation SilentCanvas, disguises a malicious PowerShell script as a JPEG image, granting attackers stealthy control over compromised machines.
How the Cyberattack Unfolds
The attack initiates when a targeted user receives a file named sysupdate.jpeg via phishing emails, misleading software updates, or deceptive file-sharing links. Despite its JPEG extension, the file contains no actual image data. Instead, it harbors a PowerShell script designed to establish a staging environment and download further harmful components from servers controlled by the attackers.
Security researchers at Cyfirma have traced this attack’s progression, highlighting its reliance on a combination of advanced techniques to evade detection and deepen system infiltration. The malicious file, once executed, leads to the deployment of a trojanized version of ConnectWise ScreenConnect, a legitimate remote access tool. This altered software provides a hidden backdoor, blending seamlessly with trusted applications.
Technical Breakdown of the Attack
The file sysupdate.jpeg lacks the standard image header, enabling it to bypass Windows script detection. When activated, it creates a hidden directory and downloads a compromised ScreenConnect package from legitserver.theworkpc[.]com using TCP port 5443. The malware employs runtime string reconstruction to avoid antivirus detection, and a secondary payload, access.jpeg, is executed directly in memory, leaving no trace on the disk.
The attack chain further involves the Microsoft .NET compiler, csc.exe, which builds a custom launcher named uds.exe on the victim’s machine. This approach ensures each binary has a unique signature, thwarting signature-based scanning efforts.
Post-Compromise Consequences
Once operational, the trojanized ScreenConnect tool allows attackers extensive control over the victim’s system. Capabilities include real-time screen monitoring, video and audio capture, keystroke logging, and encrypted file transfers to evade network inspections. Additionally, a hidden Windows service named OneDriveServers ensures malware persistence across system reboots.
Attackers can intercept credentials at the login screen and create hidden administrator accounts for sustained access. Security teams are advised to monitor execution of commonly abused Windows binaries, enforce strict remote access controls, and implement detection rules for suspicious PowerShell activity.
Security Recommendations and Future Outlook
Organizations are encouraged to block or closely monitor execution of binaries like csc.exe and ComputerDefaults.exe, and to reset credentials for all privileged accounts following potential exposure. The detailed indicators of compromise (IoCs) provided can assist in identifying affected systems and preventing further breaches.
As cyber threats evolve, staying informed about attack methodologies and maintaining robust security practices is crucial for safeguarding digital assets. Regular updates and vigilance remain key defenses against such advanced cyber threats.
