Authenticode Stuffing: A New Frontier in Malware Delivery.

How the Technique Works

Hackers exploit legitimate ConnectWise Screen Connect installers, inserting malicious configurations into the certificate table while keeping the original file signature intact. This deceptive modification allows the installer to retain its trusted status, effectively slipping past many security controls.

Real-World Exploits

According to cybersecurity firm G DATA, this method has been spotted in phishing campaigns delivering malicious documents. These documents execute trojanized versions of Screen Connect that display fake Windows Update screens, masking unauthorized remote access. The malicious variants have been dubbed:

• Win32.Backdoor.EvilConwi
• Win32.Riskware.SilentConwi
  

A similar exploit has also targeted SonicWall’s Net Extender VPN installer, enabling attackers to steal credentials from unsuspecting users. These tactics highlight a dangerous shift in cybercrime, where trusted, signed binaries are weaponized for stealthy malware delivery.

Why It Matters

The use of trusted, digitally signed binaries makes detection by signature-based antivirus increasingly unreliable. Organizations that fail to adapt risk falling prey to highly effective and difficult-to-detect attacks.

Recommended Security Measures

To counter this growing threat, security professionals should:

• Thoroughly inspect configuration data embedded in signed binaries.
• Limit the use of remote access tools whenever possible.
• Adopt layered defenses beyond signature-based antivirus.
• Continuously monitor for abnormal activity within IT environments.

Stay Ahead of Advanced Threats

As cyber threats evolve, organizations must strengthen their defenses against increasingly subtle malware deployment tactics. For proactive cybersecurity solutions and expert consulting, partner with Velvot Nigeria Limited.

Contact Velvot