OPERATION SILENTCANVAS : JPEG BASED MULTISTAGE POWERSHELL INTRUSION

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – The infection likely began through deceptive delivery of the weaponized file via phishing emails or malicious attachments (‘phishing emails, malicious attachments’).
• [T1204.002] User Execution: Malicious File – The victim was tricked into executing a spoofed image file masquerading as harmless content (‘a malicious file named sysupdate.jpeg’).
• [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell was the primary loader and execution mechanism for staging, downloading, and running payloads (‘PowerShell payload disguised as a legitimate JPEG image file’).
• [T1136.001] Create Account: Local Account – The framework supported hidden local account creation and management (‘full lifecycle management of local Windows user accounts’).
• [T1543.003] Create or Modify System Process: Windows Service – Persistence was established by creating a service masquerading as OneDriveServers (‘persistent service masquerading as OneDriveServers’).
• [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – The malware abused ComputerDefaults.exe and an ms-settings registry hijack to gain elevated execution (‘perform a fileless UAC bypass’).
• [T1134.001] Access Token Manipulation: Token Impersonation/Theft – The framework included token manipulation and privilege handling capabilities (‘DuplicateToken()’, ‘ImpersonateLoggedOnUser()’).
• [T1036.005] Masquerading: Match Legitimate Name or Location – It hid under legitimate-looking paths and names such as C:Systems and OneDriveServers (‘C:Systems mimics legitimate Windows paths; OneDriveServer mimics Microsoft OneDrive’).
• [T1036.008] Masquerading: Masquerade File Type – The malware disguised a script as a JPEG image to mislead users (‘renaming malicious .ps1 payloads to .jpeg extensions’).
• [T1027] Obfuscated Files or Information – The loader used string reconstruction and runtime manipulation to hide malicious logic (‘string concatenation and replacement operations’).
• [T1027.010] Obfuscated Files or Information: Command Obfuscation – The PowerShell commands were fragmented and rebuilt at runtime to evade detection (‘fragmented string reconstruction and runtime replacement logic’).
• [T1027.004] Obfuscated Files or Information: Compile After Delivery – The attacker compiled a launcher on the victim machine using csc.exe (‘dynamically compile a malicious launcher binary directly on the victim system’).
• [T1553.002] Subvert Trust Controls: Code Signing – The threat abused legitimately signed ConnectWise binaries to blend in (‘abused legitimately signed ConnectWise binaries’).
• [T1562.001] Impair Defenses: Disable or Modify Tools – AMSI bypass logic was used to reduce inspection (‘designed to bypass the Windows Anti-Malware Scan Interface (AMSI)’).
• [T1070.004] Indicator Removal on Host: File Deletion – The malware deleted artifacts and self-removed registry keys to reduce traces (‘registry keys self-removed’).
• [T1112] Modify Registry – The malicious ms-settings handler was created in the registry to enable UAC bypass (‘creates a malicious ms-settings protocol handler inside the registry’).
• [T1564.001] Hide Artifacts: Hidden Files and Directories – The campaign used hidden staging directories and concealed accounts (‘hidden staging inside C:Systems’).
• [T1218] System Binary Proxy Execution – Legitimate binaries such as ComputerDefaults.exe and csc.exe were abused to execute malicious code (‘abuse of ComputerDefaults.exe, csc.exe, and trusted Windows binaries’).
• [T1497] Virtualization/Sandbox Evasion – Delayed execution and anti-analysis behavior were used to avoid automated detection (‘waits approximately two seconds after execution’).
• [T1056.001] Input Capture: Keylogging – The framework included keyboard hook-based input capture (‘LowLevelKeyboardHooker leveraging SetWindowsHookEx()’).
• [T1555] Credentials from Password Stores – Credential storage and handling used DPAPI-protected secrets (‘DPAPI-protected credential storage’).
• [T1056] Input Capture – The malware intercepted credentials through the Windows logon flow (‘credential interception framework’).
• [T1113] Screen Capture – Screen capture functionality was built into the malware (‘CaptureScreen(), RecordScreen(), and GetDIBits()’).
• [T1123] Audio Capture – The framework supported microphone monitoring (‘CaptureMicrophoneSound()’).
• [T1115] Clipboard Data – Clipboard interception was supported for collection (‘clipboard interception and keystroke injection operations’).
• [T1518.001] Software Discovery: Security Software Discovery – The malware enumerated antivirus products via WMI (‘enumerate installed antivirus solutions’).
• [T1082] System Information Discovery – It profiled hardware, OS, and telemetry details from victims (‘extensive victim profiling and hardware telemetry collection’).
• [T1087] Account Discovery – The malware collected user and session context information (‘enumeration of active sessions and user account contexts’).
• [T1047] Windows Management Instrumentation – WMI was used to query security products and environment details (‘rootSecurityCenter2 namespace’).
• [T1127.001] Trusted Developer Utilities Proxy Execution – The attacker used csc.exe and related developer tools to compile payloads (‘abuse of csc.exe and developer utilities’).
• [T1071.001] Application Layer Protocol: Web Protocols – Encrypted network communications were used for C2 transport (‘encrypted communication’).
• [T1105] Ingress Tool Transfer – Additional payloads were downloaded from attacker infrastructure (‘Download of OneDriveServer.zip’).
• [T1219] Remote Access Software – The campaign weaponized ConnectWise ScreenConnect for remote access (‘weaponization of ConnectWise ScreenConnect’).
• [T1573] Encrypted Channel – PBKDF2/HMAC-SHA256 was used to secure bidirectional C2 traffic (‘encrypted bidirectional command-and-control’).
• [T1041] Exfiltration Over C2 Channel – File transfer and data movement occurred over the C2 channel (‘File transfer through VirtualStreamSender and VirtualStreamReceiver’).
• [T1021] Remote Services – The attacker executed remote commands and sessions through the RMM framework (‘Remote process execution and session token abuse’).
• [T1529] System Shutdown/Reboot – The malware could force reboots into Safe Mode (‘Remote reboot functionality including Safe Mode restart operations’).