Malicious ConnectWise Control application downloaded in the wild

ConnectWise ScreenConnect is a self-hosted remote desktop software application. The tool is used by thousand of people, Companies, businesses around the world.

As a well-known tool, abusing it, could help the threat actor to compromised many systems and organization by gaining unauthorized access to the computer or environment.

The malicious application is called ConnectWise Control 23.2.9.8466. Quite similar to the naming convention used by ConnectWise ScreenConnect application.

The malicious tool is available from the website krscreenconnect[.]com.

At the time of writing, the tool been downloaded by many users and organizations.

The domain name is quite new:

The domain is newly created:

Dates 50 days old

Created on 2025–01–26

Expires on 2026–01–26

Updated on 2025–01–26

Hosted on dedicated server with the IP address 192.159.99.10.

The application is available to download after connecting to the website via the link: hxxps://krscreenconnect[.]com/bin/support.client.exe?i&e=Support&y=Guest&r.

To fully investigate the application, we used couple of tools such as app any run, Virus total, urlscan, Domaintools, Censys.

First of all, we wanted to have the hash of the executable file “support.client.exe” or see what is behind the URL. To achieve that, we used: Search — urlscan.io

we got the following details:

A second technic we used was to run the URL via VirusTotal to get the Hash:

We got the same hash as we got from URLSCAN:

As you may know, Censys ( Censys Search will end on March 31, 2025) is one of the best tool to get more details about an IP address. Using Censys, we got:

192.159.99.10 — Host Summary — Censys

The unique IP 192.159.99.10 link to the domain in question:

On the port HTTP 443, a romote access ConnectWise Control 23.2.9.8466 is available.

We decided to run the executable file through app any run to be able to analyse it in the sandbox: https://app.any.run/browses/78c73b3d-b38e-48cd-813e-9d4b1883cb0c

After running the executable file, we found out that the file is digitally signed by ConnectWise LLC since 2023. Which look strange but possible.

While analysing the executable file, we found one interesintg indicator

The file name : C:\Users\jmorgan\Source\cwcontrol\Misc\Bootstrapper\Release\ClickOnceRunner.pdb

following the ImportsHash: 7631a79a9071099fa4803e1c4c5df207

We found out that the Hash of the file is quite famous through Google search:

By checking the information from: MalwareBazaar | SHA256 d4b396874b63841713f83aecb7b3bf6e19b068f246c950cbdbb08bdafb394763 (ConnectWise)

We found very interesting details

The information found is the confirmation that the executable file is digitally signed by Connectwise, LLC.

To finalize our investigation, we checked the payload after execution

If you are already familiar with malware analysis, you may notice some suspicious functions used such as :

LoadLibraryA

GetCurrentProcess

TerminateProcess

CreateFileW

GetProcAddress

HeapAlloc

WriteFile

ExitProcess

HeapReAllo

The functions are usually used for code injection to hide the executable file from the EDR or Anti-Virus engine.

We can already limit here our investigation and come to the conclusion that the file is a malware and you should not run it.

The usage of the digitally signed certificate from is out of scope (if you want to know ask them ahhh).

We found many others malicious executable files using the signed certificate from the company: MalwareBazaar | Browse malware samples.

Which means that you should always check any application signed by this organization.

If you already notice such activity within your organization, the following measure should be taken as fast as possible:

Change the user password.

Re-image the host impacted.

Perform the full analyze on the host to detect any C2 or Persistency or privilege escalation method used.

Block the URL or domain.

Block the IOCs Hash.