Key Takeaways

• Cyble Research and Intelligence Labs (CRIL) detected a continuous phishing effort aimed at the cryptocurrency community and healthcare organizations in the US. 
• The campaign’s focus on both cryptocurrency individuals and healthcare entities suggests a wide-reaching and potentially significant threat. 
• Threat Actors (TAs) are using phishing sites to distribute ScreenConnect, a legitimate remote support tool by ConnectWise Inc., for malicious purposes. 
• This campaign employs tactics like subdomain takeover to host phishing sites, demonstrating the attackers’ sophistication. 
• By exploiting ScreenConnect, TAs gain unauthorized access to victim systems, enabling them to conduct further malicious operations. 
• There is a notable pattern of TAs repeatedly targeting the healthcare sector via ScreenConnect, indicating a focused exploitation of this sector’s vulnerabilities.

Overview

Recently, CRIL observed a significant uptick in the number of samples submitted to VirusTotal under the file name “screenconnect”. Upon initial investigation, we discovered that a majority of these samples are ScreenConnect clients controlled by TAs. This observation raises concerns as it indicates a potential trend of malicious usage or exploitation of ScreenConnect software by TAs for unauthorized or nefarious activities. 

ConnectWise ScreenConnect is a widely used remote support and administration tool compatible with Linux, Windows, and Mac systems. It is commonly employed by IT professionals and Managed Service Providers (MSPs). ScreenConnect enables users to securely connect to client devices, remotely view desktops, transfer files, engage in user chats, and execute various administrative tasks, effectively simulating physical presence at the machine. 

The image below shows the count of Screenconnect sample submissions to VirusTotal over the past three months. 

Figure 1 – Screenconnect files observed in the last 3 months 

Upon noticing this increase in the usage of the ScreenConnect tool, our research team carried out an in-depth investigation to determine the underlying factors driving this surge. As a result, CRIL discovered an ongoing phishing campaign where TAs have employed phishing websites closely resembling genuine cryptocurrency platforms and healthcare entities, primarily targeting individuals located in the United States.  

Furthermore, we have observed an instance where TAs have utilized subdomain takeover to host phishing pages. The image below shows a phishing site from this campaign hosted using subdomain takeover. 

Figure 2 – Phishing Site Hosted Using Subdomain Takeover 

When users navigate to these phishing sites and click on appealing offers or applications for installation, they unwittingly fall victim to the ScreenConnect server controlled by TAs. 

After the machine is compromised, TAs may exploit ScreenConnect features to covertly extract sensitive data or deploy malware for subsequent cyber operations. 

Campaign analysis 

The analysis of this campaign has revealed a concerning pattern involving the detection of numerous phishing sites targeting a diverse array of victims. These sites display a dual nature, with some pretending to be cryptocurrency platforms while others mimic entities associated with healthcare sectors. However, despite the varied site names and apparent themes, the files being downloaded upon interaction share a common trait—they are named after cryptocurrencies. 

Examples of a few phishing sites identified as part of this campaign include: 

• hxxps://rollecoin[.]online 
• sgacor.kenparkmdpllc[.]com 

File names associated with this campaign include: 

• Windows-Rollercoin.exe 
• CryptoNex200%24Voucher.exe

Phishing campaign targeting Cryptocurrency users 

During our analysis of the phishing site “hxxps://rollecoin[.]online/“, it became evident that its design closely resembles the legitimate website “rollercoin[.]com“. The legit site offers users an engaging online Bitcoin mining simulator game, providing them with the opportunity to earn real cryptocurrency while playing. The following image shows both the legitimate website and the phishing site.

Figure 3 – Legit site (Top) and Phishing site(bottom) 

By utilizing this phishing site, TAs trick visitors into thinking they are interacting with the genuine platform. However, rather than offering a legitimate gaming experience, it likely employs deceptive methods to entice users into downloading ScreenConnect client files.  

In another instance, we came across multiple websites hosted within the same domain, all of which purported to offer free cryptocurrency coins to users who played their games. These websites, located at the domain “minerclouds[.]xyz,” included “minerclouds[.]xyz/addcoin/,” “minerclouds[.]xyz/autoclaim/,” and “minerclouds[.]xyz/blocks/.” They were designed with the intention of targeting cryptocurrency enthusiasts. 

The underlying premise of these sites was to entice users with the promise of earning cryptocurrency rewards simply by using the simulator/game. However, upon closer examination, it became evident that these websites were fraudulent, seeking to deceive users into downloading ScreenConnect clients.  

The image below shows a collage featuring several phishing sites hosted on the ‘minerclouds[.]xyz’ domain, highlighting the prevalence and sophistication of such deceptive schemes within the cryptocurrency community. 

Figure 4 – Several phishing sites hosted on a single domain 

Phishing campaign targeting healthcare entities 

In the second phishing campaign, the primary targets are healthcare entities via a fraudulent site hosted using a subdomain takeover, masquerading under “sgacor.kenparkmdpllc[.]com”. Notably, the main domain, “kenparkmdpllc.com”, is affiliated with a healthcare clinic based in the US. The image below shows the phishing site hosted using subdomain takeover. 

Figure 5 – Phishing site 1 targeting healthcare entities 

The next phishing site identified is “cloudmine[.]online/CloudMine”, which impersonates the authentic CloudMine platform. This platform offers secure data enablement solutions for healthcare and pharmaceutical organizations. However, this deceptive site lures users into downloading the ScreenConnect client controlled by the TAs. The figure below shows that the phishing site capitalizes on the trust associated with CloudMine services to trick targeted users into downloading ScreenConnect files. 

Figure 6 – Phishing site 2 targeting healthcare entities

Technical Analysis of ScreenConnect Client 

Upon executing the downloaded TA-controlled ScreenConnect client file, it results in the deployment of a Microsoft Installer file (MSI) named “setup.msi”, which is dropped in the %temp% directory. The below image shows the extracted contents of the .msi file. 

Figure 7 – Extracted content of the setup,msi file

This setup.msi file facilitates the installation of the ScreenConnect service on the victim machine. 

The ScreenConnect service is executed with a launch parameter hardcoded within one of the components found in the MSI file, as highlighted in Figure 7. The image below displays the client service launch parameters when launched.

Figure 8 – Screenconnect client launched with predefined parameters

Each session of ScreenConnect is initialized using the Client Launch Parameters. The parameters are detailed in the table below. 

Parameter	Description
e=Access	The type of session (Support, Meet, or Access)
y=Guest	The session’s participant type (Guest or Host)
h=instance-xxxxxx-relay.screenconnect.com	URI to reach the server’s relay service
p=443	Port on which the relay service operates
s=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx	The GUID is used to identify the client to the server
k	The encryption key used to verify the server’s identity
v	Unknown

These parameters enable the TAs to determine which target has been infected or the source of the infection. Once the server accepts the client, TAs may exploit ScreenConnect features to stealthily extract sensitive data or deploy malware for further cyber operations. 

In our scenario, we have not detected any active communication between the server and the client, leaving us uncertain about the next stage of the attack. 

Previous Incidents Involving ScreenConnect

• In February 2021, Anomali’s blog highlighted suspicions that Static Kitten may be exploiting ScreenConnect features to either extract sensitive data or aid in the dissemination of malware for subsequent cyber activities. 
• In May 2022, Blackpoint detected an incident involving the deployment of BlackCat/ALPHV ransomware via ScreenConnect. 
• In November 2023, researchers at the managed security platform Huntress identified attacks leveraging ScreenConnect. They observed these attacks on endpoints belonging to two separate healthcare organizations, along with signs of network reconnaissance in preparation for further attack escalation. 

Conclusion

The recent surge in the usage of ScreenConnect, coupled with the discovery of a sophisticated phishing campaign, emphasizes the critical need for bolstered cybersecurity measures. The abuse of legitimate software by TAs for malicious purposes not only highlights the evolving landscape of cyber threats but also underscores the severity of such attacks, especially when targeting healthcare organizations. 

Once compromised, systems become vulnerable to exploitation by TAs, thereby posing multifaceted risks ranging from data theft to Threat Actors gaining access to sensitive information and the deployment of ransomware and other forms of malicious software.  

These threats can have far-reaching consequences, including financial losses, reputational damage, and disruptions to critical healthcare services, ultimately jeopardizing patient safety and privacy. Therefore, healthcare organizations must implement robust cybersecurity protocols, including regular security assessments, employee training programs, and the widespread use of advanced threat detection and response mechanisms, to mitigate the risks posed by evolving cyber threats. 

Our Recommendations  

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: 

• Instruct users to refrain from opening untrusted links without verifying their authenticity. 
• Do not download applications from unknown sources.  
• Monitor for suspicious activities like TAs installing additional tools or software into the system.  
• Healthcare organizations must acknowledge the seriousness of such intrusions and take unified actions to protect their infrastructure. 
• Organizations should conduct regular security awareness and infosec training sessions for their workforce to educate them about phishing attacks, their impact, and how to recognize fraudulent websites. 

MITRE ATT&CK® Techniques

Tactic	Technique	Procedure
Initial Access (TA0001)	Phishing (T1566.002)	TAs send Unwanted ScreenConnect clients via  phishing websites
Execution  (TA0002)	User Execution (T1204)	Users need to manually execute the downloaded file
C&C (TA0011)	Remote Access Software (T1219)	TAs use legitimate desktop support and remote  access software to establish an interactive  command and control channel to target systems  within networks.

Indicators of Compromise (IOCs)

Indicators	Indicators Type	Description
hxxps://rollecoin[.]online/download[.]html	URL	Phishing site
hxxps://cloudmine[.]online/CloudMine/CloudMine1_5[.]exe?e=Access&y=Guest	URL	Phishing site
hxxps://sgacor[.]kenparkmdpllc[.]com/	URL	Phishing site
hxxps://minerclouds[.]xyz/	URL	Phishing site
Claimbloacks[.]xyz	Domain	Phishing site
Addonswallet[.]lat	Domain	Phishing site
03b9ee39f5316efe71b0c915374da7d3d4b393ed402d4fe6b57cbc38ac60783b	SHA256	ScreenConnect Client downloaded from rollecoin
e594dc53d2bf4518632e9ca4308a11a0b10409f035554255bbdc7e3f577fe585	SHA256	ScreenConnect Client downloaded from cloudmine
afd0c82318a32f3a82bbc8320e03e33ee84e3fb3c8a64b3fe06a48fc37682dae	SHA256	ScreenConnect Client downloaded from minerclouds
instance-anbr85-relay.screenconnect[.]com instance-b5lwpw-relay.screenconnect[.]com instance-oisw57-relay.screenconnect[.]com	Relay server	URI to reach the server’s relay service

Related