#threatreport #LowCompleteness
ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware | 28-06-2025
Source: https://t.co/S4jKLk4MZN
Key details below ↓
Threats:
Screenconnect_tool,
CVEs: CVE-2024-1709 \[[Vulners](https://t.co/DDyKoz3SZq)]
- CVSS V3.1: *10.0*,
- Vulners: Exploitation: True
Soft:
- connectwise screenconnect (<23.9.8)
CVE-2024-1708 \[[Vulners](https://t.co/kdi8ppUglw)]
- CVSS V3.1: *8.4*,
- Vulners: Exploitation: True
Soft:
- connectwise screenconnect (<23.9.8)
LLM extracted TTPs:`
T1036.005, T1204.002, T1553.006, T1566.002
IOCs:
- Hash: 25
- File: 24
Software: Windows Authenticode, Google Chrome, Chrome
Programming Languages: python
#threatreport:
Since March 2025, there has been a notable rise in malware infections utilizing validly signed ConnectWise software, indicative of bad signing practices exploited by threat actors. This trend is linked to a resurgence of abuse surrounding two vulnerabilities identified in February 2024, specifically CVE-2024-1708 and CVE-2024-1709. The current wave of malicious activities is attributable to a new strain of malware, termed "EvilConwi", which leverages these valid signatures to distribute fraudulent applications.
Victims often report infections originating from phishing emails that lead to fake pages masquerading as legitimate applications. For instance, one prevalent scenario involved a user clicking on a OneDrive link that redirected them to a Canva page hiding a malicious ConnectWise installer within a download. Reports indicate that users experience symptoms such as their mouse moving erratically and fake Windows Update prompts during active remote connections, signaling a compromise.
To enable detection of these malicious ConnectWise samples, a comparative analysis was performed using PortexAnalyzer, revealing significant characteristics in their certificates. An authenticode linter was used to examine the samples, determining that both contained unauthenticated attributes, which could be leveraged for malicious purposes. Suspicion arose concerning the practice of Authenticode stuffing, a technique where valid signatures are inappropriately applied to malicious files.
Further investigation highlighted the presence of configuration settings embedded within the samples. A configuration dumper was designed to extract and analyze these settings, revealing that threat actors modify the application’s behavior to suppress user alerts (like tray icons indicating remote connections) and incorporate misleading visual components, such as fake Windows update screens. These modifications not only enhance the malware's disguise but also serve to keep the victim unaware and their system accessible for prolonged durations.
The misuse of authentication mechanisms significantly raises the stakes for cybersecurity, as it allows malicious actors to create tailored remote access tools masquerading as legitimate software. Such practices pose a critical threat until ConnectWise addresses the underlying issues within their signing process. On June 12, 2025, ConnectWise was informed of these vulnerabilities and on June 17, it was noted that the signatures for the abused samples had been revoked, indicating a response to the emerging threat.
twitter.com 
