In a significant development, threat actors are increasingly exploiting legitimate software platforms, particularly remote access tools like ScreenConnect, using advanced evasion tactics. A prominent technique observed is Authenticode stuffing, where malicious code is stealthily appended to seemingly legitimate executable files after the valid digital signature.
This method is particularly insidious because standard security software often verifies file integrity primarily by checking the digital signature. By placing the harmful code after the signed portion, the signature validation can still pass, allowing the tampered file to appear legitimate. When these modified ScreenConnect installations or updates are run, the appended malicious payload is executed, bypassing initial defenses.
This technique is being weaponized to deliver devastating payloads, including notorious strains of ransomware and data-stealing infostealers. Attackers gain persistent access, enabling them to encrypt sensitive data or exfiltrate valuable information, leading to significant operational disruption and financial loss for targeted organizations.
The rise of Authenticode stuffing highlights the critical need for modern cybersecurity defenses that go beyond simple signature checks. Effective protection requires a layered approach, including immediate patching of known vulnerabilities in remote access software, deploying sophisticated endpoint detection and response (EDR) systems that monitor behavioral anomalies, and continuous security awareness training. Relying solely on traditional signature-based detection is no longer sufficient against these evolving threats. Staying ahead requires proactive defense strategies and advanced threat hunting capabilities.
Source: https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-into-malware-using-authenticode-stuffing/
