Case Study – BFSI
Advanced Threat Hunting proactively uncovers an unknown risk in digitally signed ConnectWise installers
DOWNLOAD THE PDFAbout the client
The client is a leading financial services organization operating in South Africa, supporting a large customer base and a distributed workforce. As an existing CyberProof Managed Extended Detection and Response (MXDR) client, the organization prioritizes proactive threat detection and strong endpoint visibility to protect sensitive financial systems and maintain operational resilience.
The client’s challenge
The engagement was triggered when CyberProofâs MXDR team reported on an outbound suspicious network connection to a TLD (Top Level Domain) – .net and .ddns in two separate incidents originating from digitally-signed ConnectWise ScreenConnect processes. The alert was fired from a detection rule shared by the Threat Hunting team for suspicious TLD connections.
The attack vector identified across the investigated incidents involved phishing emails designed to trick employees into downloading a trojanized version of the ScreenConnect remote monitoring and management (RMM) tool.
Once deployed, the malicious ScreenConnect process was extremely difficult to detect, and the EDR platform did not generate any alerts following the initial compromise.
At this point, the client faced several challenges:
- Suspected supply chain compromise: Indicators suggested a potential supply chain attack, possibly linked to a nation-state APT group.
- Detection gaps in EDR controls:Â Existing EDR rules failed to block outbound connections to attacker infrastructure, opening the client up to further risk.
- Persistent attacker activity: Despite certificate revocations, the attacker repeatedly regained access to new code-signing certificates. This suggested an ongoing compromise.
Benefits
- Early risk discovery: Identified a previously unknown campaign abusing digitally signed ConnectWise installers.
- Closed EDR blind spots: Addressed more than 15 detection gaps where trusted RMM activity bypassed existing EDR controls.
- Reduced trust abuse risk:Â Detected and mitigated Authenticode stuffing used to evade signature-based defenses.
- Stronger defense against persistence:Â Improved detection of repeatedly re-signed malicious binaries as the campaign evolved.
Our solution
CyberProof recommended an Advanced Threat Hunting engagement to perform a structured detection gap analysis and deeper campaign investigation, and a dedicated CyberProof threat hunter was assigned to the engagement, working in parallel with the MXDR team.
During this investigation, CyberProof threat hunters identified a technique known as Authenticode stuffing. The modified installer contained additional backdoor code while retaining a valid digital signature. Critically, the installer embedded a command-and-control URL within the digital certificate itself, which was used to retrieve and execute a second stage payload after installation. This technique allowed the malware to evade traditional signature-based detections by abusing trust in signed software and certificate metadata.
CyberProofâs proactive threat tracking and contextual hunting enabled early identification and reporting of what appeared to be a potential supply chain related attack involving trusted remote monitoring and management software. At the time of discovery, there was limited public disclosure. Subsequent assignment of a CVE to the ConnectWise vulnerability and later public reporting validated the indicators and behaviors identified during the threat hunt.
Results
By combining MXDR telemetry, Advanced Threat Hunting, and threat intelligence, CyberProof helped the client gain a clearer understanding of the attack techniques used, strengthen endpoint detection coverage, and reduce exposure to similar threats that abuse trusted software and signing mechanisms.Â
Speak with an expert
Explore how CyberProof can help you reduce exposure and manage risk with advanced threat hunting for hybrid and cloud-native environments.