Microsoft Defender Experts just published a new threat report that sheds light on one of the wildest phishing plots we’ve seen in a while. The scheme doesn’t involve breaching a highly-sophisticated security system or inventing a new zero-day vulnerability, or anything that comes to mind when you hear the word “hacking.” The attackers simply came up with an admittedly clever system to infiltrate enterprise computers using legitimate software.
It all starts with emails containing fake meeting invites, PDF documents, and other malicious links. When a targeted user clicks a link to update a familiar app like Microsoft Teams, Zoom, Google Meet, or Adobe Reader, they are actually downloading malware on their computer.
But here’s the thing: Microsoft found that the malicious files were digitally signed using an abused Extended Validation (EV) certificate issued to a company called TrustConnect Software PTY LTD.
Now, EV certificates aren"t easy to get, as they require strict identity verification by the Certificate Authority. As ESET Distinguished Researcher Aryeh Goretsky pointed out in the comments, an EV certificate doesn"t automatically prevent antivirus software from scanning a file, but it does assign it a higher reputational score. Proofpoint"s report adds that "when used by threat actors, they can help criminals evade signature-based detections."
When a user downloads it, the malware sets the groundwork for the entire operation. It first copies itself to the Program Files directory to mimic a legitimate application, registers itself as a Windows service, and creates a Run key in the system registry so it boots up every time the computer turns on.
Once it gets hold of an infected computer, the malware then uses encoded PowerShell commands to silently install legitimate Remote Monitoring and Management (RMM) tools like ScreenConnect, Tactical RMM, and Mesh Agent!
Since actual corporate IT departments use these exact tools every single day to manage company computers, the malicious network traffic blends right in. The attackers get a persistent backdoor into the corporate network, including remote desktop control and system-level command execution, without raising a single red flag. According to Microsoft’s report, the attackers even install multiple RMM tools, just in case a security team happens to detect and remove one of them.
With full network control established, the attackers can do basically whatever they want with affected computers. They can sift through internal servers to steal intellectual property, customer databases, or financial records. Or they can move laterally from a single infected laptop straight to the core domain controller. The possibilities are endless.
This is an ongoing threat, and Microsoft advises companies and employees to treat every file download they’re not absolutely sure is safe with extra caution. You can check out the entire report on the Microsoft Security blog.
Malware as a Service
Now, if EV certificates are so hard to obtain, you might be wondering how a bunch of attackers got hold of them. And the story about it is pretty wild.
Threat researchers at Proofpoint discovered last month that the hackers did not steal the certificate. They actually created a shell company, “TrustConnect Software PTY LTD” and crafted an entire fake business identity. They used AI to generate a highly convincing corporate website and injected it with fabricated customer statistics and reviews. Under the disguise of a legitimate startup, TrustConnect then legally bought an EV certificate. Someone at the Certificate Authority actually reviewed and approved the purchase.
With a highly trusted EV certificate in their possession, TrustConnect didn’t just plan to launch its own attacks. Instead, it turned its fake website into a lucrative storefront for renting out its malware to other attackers. TrustConnect essentially created, as Proofpoint calls it, a Malware-as-a-Service (MaaS) operation, charging a flat rate of $300 a month in cryptocurrency for access to the digitally signed payloads and command infrastructure. The attackers followed that age-old advice and sold shovels during a gold rush.
So, if you yourself wanted to infiltrate some company’s computer, you wouldn"t even need to write a malicious script. You could just pay TrustConnect $300, download their pre-signed payload, practice some corporate talk to convince a target to actually run your file, and you’re in. Easy game.
Thankfully, the security research community did not just sit back and let it happen. Proofpoint, working alongside a group of researchers known as The Cert Graveyard, managed to get the abused EV certificate officially revoked on February 6. But there is a massive catch. Because the revocation was not backdated, any malware payloads the hackers had already signed remain completely valid and trusted by Windows.
While the TrustConnect storefront stopped accepting new subscribers, the threat actors did not just pack up and vanish. They almost immediately switched to testing a new malware variant called DocConnect. According to Proofpoint’s report, DocConnect is an improved version of the malware, with more advanced features, featuring a better control panel, improved real-time communication, and tricks like fake Windows Update screens.
The whole thing is turning into an endless game of whack-a-mole and is far from over. Be careful with what you’re downloading, now more than ever, because these attackers have no intention of backing down.