Threat Actors abuse signed ConnectWise application as malware builder

June 24, 2025, 3:30 p.m.

Description

Since March 2025, there has been an increase in infections using validly signed ConnectWise samples. Threat actors are exploiting ConnectWise's authenticode stuffing practices to create and distribute their own signed malware. The malicious samples use modified settings in the certificate table to influence critical behavior and user interface elements, such as connection URLs, ports, icons, and messages. This allows attackers to disguise their remote access tools as legitimate software or fake Windows updates. The article provides recommendations for threat detection and prevention, including specific app.config settings to look out for and a YARA rule for detection.

External References

https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware
https://otx.alienvault.com/pulse/685ab6d77ee3c365bdf52af2
Tags
remote access
CVE-2024-1709
certificate abuse
fake updates
signed malware
2025-06-24
connectwise
CVE-2024-1708
authenticode stuffing
evilconwi
unauthenticated attributes

Date

  • Created: June 24, 2025, 2:31 p.m.
  • Published: June 24, 2025, 2:31 p.m.
  • Modified: June 24, 2025, 3:30 p.m.

Indicators

  • f55c6160ed57a97c4f0e1c6aa6e3f8f01a966e96a99a29e609ec60e63be11889
  • e7f9b9c9205162ddee72a7b7ff86b6524e19c7e8b51f64fdbffc8015c7e8934c
  • d6844a6050d5f6c20a3fe12df28e53a2e46559e6c5017576022372e35ab44ff5
  • d37e804938cf0a11c111832b509fbecf8a0f3e9373133be108d471d45db75de8
  • cb8a1a1e90c29461b0503e2c5deac7b673617477128ee3baea4d8134676c8af4
  • c0c48de11bc4b70fb546b9a76b6126a355c0a0f4b45ed6b6564d8f3146c9f0af
  • b61aed288b4527b15907955c7521ff63cc0171087ac0f7fea6c7019a09c96c04
  • b1c36552556a69ec4264d54be929e458c985b83bbc42fe09714c6dce825ac9a7
  • a6fb2a4be91f6178d8ba0ca345727d1cb7995c3e4a659a68bef306c9eff4b18e
  • 98e3f74b733d4d44bec7b1bf29f7b0e83299350143ff1e05f0459571cb49c238
  • 8fc8727b6ddb28f76e46a0113400c541fb15581d2210814018b061bb250cc0e6
  • 72fe38ad67a26cfd89d1bfc744d33f80277e8eb564b5b92fdac46a9a24d845f3
  • 7287a53167db901c5b1221137b5a1727390579dffd7098b59e6636596b37bc27
  • 7180238578817d3d62fd01fe4e52d532c8b3d2c25509b5d23cdabeb3a37318fc
  • 6d9442ae6ba5a9f34a47e234b6047f61d8ac129e269199793ebb0bed1ad7e3ba
  • 6bce39b7d7552dbacbb4bdf06b76b4fed3fbb9fe4042b81be12fbdff92b8d95c
  • 6aa1b9f976624f7965219f1a243de2bebb5a540c7abd4d7a6d9278461d9edc11
  • 67b909bbcce486baba59d66e3b4ec4c74dd64782051a41198085a5b3450d00c9
  • 5da9a0d0830c641ffda6be3be7733de469418abedc6fac0cfcd76ba49f8ade2e
  • 5ccc9ef3e8f7113469f4a46c3aca3939fd53b3561a9fd8ffacd531aa520c5921
  • 573f1eefac3079790a9ab40bdd3530ce34b1d2d1c6fa6703a5a8d81cb190a458
  • 540c9ae519ed2e7738f6d5b88b29fb7a86ebfce67914691ce17be62a9b228e0a
  • 55a228f22f68b8a22967cc5b8b2fcbea66fcaf77bebedfb1f89cd134a0268653
  • 4e5cfd915f44dc263f29e1eaef82b3e2e903ba92b10f88c0eaf89fe5eab82ff5
  • 41037935246da6f43615d93912bc62811c795ea4082a2bfdbf3eda53a012666e
  • 28f46446d711208aa7686cdaea60d3a31e2b37b08db7cfb0ce350fcd357a0236
  • 277ef6c0dcaf0e76291fbde0199dda1ca521c03e77dc56c54f5b9af8508e6029
  • 23ff4f91db852b07c7366a3c3b8be0bade2befccbfea7e183daadb5e31d325c0
  • 1fc7f1ef95f064b6c6f79fd1a3445902b7d592d4ff9989175b7caae66dd4aa50
  • bookinginvoiceview.top
Download all indicators here!

Attack Patterns

  • EvilConwi
  • EvilConwi

Linked vulnerabilities

CVE-2024-1708

None
Published:

CVE-2024-1709

None
Published: