Researchers at Cyfirma have unveiled a sophisticated cyberattack campaign that specifically targets Windows systems, utilizing deceptive JPEG image files as a means of infiltration. This operation, dubbed Operation SilentCanvas, cleverly deceives victims into executing malicious PowerShell scripts disguised as innocuous photos. Once the attack is initiated, the perpetrators gain complete and covert control over the compromised machines through these weaponized files.
Mechanics of the Attack
The assault commences when unsuspecting victims receive what appears to be a routine image file named sysupdate.jpeg. Despite its JPEG extension, this file contains no actual image data; instead, it harbors a PowerShell script meticulously crafted to establish staging environments and download additional malicious components without raising suspicion.
To evade detection, the malware reconstructs perilous command strings at runtime, steering clear of writing them plainly in files. It further escalates its threat by downloading a secondary payload, referred to as access.jpeg, which is executed directly in memory. Notably, Microsoft’s own .NET compiler, csc.exe, is exploited to create a custom launcher named uds.exe on the infected machines.
Once the launcher is operational, the malware takes control of a registry key associated with the ms-settings protocol. This enables the creation of a hidden desktop environment that operates outside the visibility of the logged-in user, facilitating undetected execution of malicious tools. Additionally, a persistent Windows service known as OneDriveServers ensures the malware remains active even after system reboots.
In a further display of its capabilities, a separate component is designed to intercept usernames and passwords at the Windows login screen prior to authentication. According to Cyfirma’s analysis, this malware can also create hidden local administrator accounts, providing attackers with long-term access to the compromised systems.
In light of these developments, security teams are urged to implement measures to block or closely monitor the execution of commonly abused Windows binaries, including csc.exe and ComputerDefaults.exe, to mitigate the risks posed by this sophisticated cyber threat.
