Cybercriminals Exploit ScreenConnect in SmartScreen Bypass Campaign to Gain Stealth Remote Access

CyberDefender 7 mins0

1. Introduction: Threat Overview

ConnectWise ScreenConnect (ConnectWise Control) is a remote support and Remote Monitoring & Management (RMM) platform widely deployed by IT operations teams for legitimate remote access, troubleshooting, and endpoint administration.

In recent campaigns, attackers have increasingly abused ScreenConnect itself as a persistence and control tool, combining social engineering, local privilege escalation, security control tampering, and abuse of legitimate software to establish persistent command-and-control (C2) access.

2. Attack Chain: From Phishing to Persistent RAT

2.1 Initial Delivery via Phishing

The observed campaign begins with a social engineering vector:

  • A spoofed email impersonates a trusted organization (e.g., U.S. Social Security Administration), using deceptive sender domains and content to prompt recipients to run a malicious attachment.
  • The key payload is a .cmd script designed to run silently and escalate privileges, often skipping antivirus notoriety.

2.2 SmartScreen Disabling & Code Execution

In the dropped script:

  • It checks for administrative privileges and uses techniques like PowerShell auto-elevation via UAC to gain admin context.
  • Windows SmartScreen (a built-in reputation and execution filter) is disabled by editing relevant registry keys to minimize blocking.
  • The script strips the Mark-of-the-Web from downloaded binaries, preventing many security products from treating them as untrusted.

2.3 Malware Delivery and RMM Installation

Once controls are disabled:

  • An external MSI installer is fetched from a non-trusted HTTP endpoint.
  • MSI installs a ScreenConnect client with a hard-coded configuration pointing to attacker-controlled infrastructure (remote server address and port stored in system.config).
  • The client executable was signed but the signing certificate was revoked, meaning Trust Chain checks should block it. However, SmartScreen disabling allows silent execution.

2.4 Persistent Command-and-Control Functionality

  • The installed ScreenConnect client behaves akin to a Remote Access Trojan (RAT), establishing outbound encrypted connections to the attacker’s C2 domain.
  • With remote access, attackers can perform interactive control, data exfiltration, lateral movement, and automation of malicious operations — all under the guise of a legitimate RMM tool.

3. Technical Analysis: Why This Attack Works

3.1 Abuse of Legitimate Trust and Execution Controls

Unlike traditional malware, this technique “lives off the land” by:

  • Using legitimate ScreenConnect binaries rather than custom malware, which reduces detection from static scanner rules and reputation systems.
  • Exploiting the fact that many organizations white-list ScreenConnect as trusted RMM software.

3.2 SmartScreen and Mark-of-the-Web (MoTW)

Windows SmartScreen and MoTW are reputation systems that protect users by warning about or blocking untrusted binaries:

  • SmartScreen is disabled, and MoTW removed, so downloaded binaries execute without user prompts or warnings.
  • Removing MoTW bypasses a key endpoint security signal that many next-gen protection tools monitor.

3.3 Revoked Certificate Circumvention

  • Although the ScreenConnect client binary was signed with a revoked certificate, traditional certificate revocation checks can be bypassed at execution time if SmartScreen and related controls are disabled.

4. Real-World Context: RMM Abuse Trend

This pattern is part of a broader trend where attackers increasingly misuse RMM and remote support tools rather than deploy custom backdoors. Reasons include:

  • High trust and ubiquity in enterprise environments.
  • Low suspicion, making anomalous activity harder to detect with traditional defenses.
  • Known vulnerabilities in ScreenConnect (e.g., authentication bypass, path traversal, ViewState injection) have previously been exploited, emphasizing the necessity to patch and monitor instances.

5. Defensive Considerations & Recommendations

To mitigate similar threats, defenders should consider:

5.1 Software Hygiene

  • Immediately patch ScreenConnect deployments to the latest supported version; cloud instances are generally updated automatically.
  • Monitor for outdated or revoked binaries installed on endpoints.

5.2 Endpoint Control and Security Policies

  • Enforce application allow-listing to block execution of binaries from non-trusted sources.
  • Retain SmartScreen and MoTW protections as mandatory policies.
  • Implement behavior-based detection that flags unusual remote access tool invocations.

5.3 Network and C2 Detection

  • Use egress filtering, DNS monitoring, and network behavioral analytics to catch beaconing to unusual external domains.
  • Prioritize logs and alerts on RMM-related outbound connections.

Conclusion

The ScreenConnect attack observed by Forcepoint X-Labs demonstrates a hybrid exploitation strategy where attackers combine social engineering, endpoint security tampering, and abuse of trusted administrative tools to achieve persistence and stealthy remote control.

This approach highlights a growing class of threats in which legitimate enterprise software becomes the attack delivery and command-and-control vehicle, requiring defenders to update traditional detection models and enforce strict software, process, and policy controls.

CyberDefender