Screenconnect

[SilverSurfer 0]

Recently I came very close to being taken by PayPal scammers.  Before I wised up they installed Screencollect on my PC.  Later an ESET scan did not find this program evidently because it is a legitimate program used by some folks.

I will never need to install Screencollect or any other programs like it that scammers use.  Is there a blacklist of such programs that I can force ESET to find and quarantine?

[itman 1,748]

Do you mean ScreenConnect also known as ConnectWise? I can find no reference to Screencollect.

Assuming you mean ScreenConnect, the question is why Eset didn't detect it as a PUA?

Quote

The program under its previous name of ScreenConnect has been used in fraudulent technical support scams where the fraudster is able to gain the control of the victims computer by telephoning and tricking the user to install the software and permitting a connection. The free trial period has been utilized to avoid any software costs in doing this, and similar products such as TeamViewer, AnyDesk and Ammyy Admin have also been used for the scam.^[14][15

Cybercriminal group LockBit exploited vulnerabilties in ScreenConnect.^[16]

https://en.wikipedia.org/wiki/ConnectWise_ScreenConnect

Do you have both PUA settings plus Suspicious applications settings enabled in Eset real-time protection settings?

Edited July 16 by itman

[itman 1,748]

Well, I just downloaded the ScreenConnect installer and not a detection peep from Eset.

[SilverSurfer 0]

Sorry for my typing error.  Yes, I meant Screenconnect.  Maybe my ESET product does not have the settings that you mentioned?  I can't find setting references to PUA and suspicious applications.

[itman 1,748]

3 minutes ago, SilverSurfer said:

I can't find setting references to PUA and suspicious applications.

In this case, the settings don't matter since Eset didn't detect it as such.

The settings are shown in the below screenshot;

[SilverSurfer 0]

Thanks for the directions.  My PUA was off.  All the other settings are "balanced."

[SilverSurfer 0]

Now that all my settings are set to "aggressive" do you think ESET would detect Screencollect if it showed up on my PC?

[matte 4]

5 hours ago, SilverSurfer said:

Now that all my settings are set to "aggressive" do you think ESET would detect Screencollect if it showed up on my PC?

While ESET currently didn't seem to detect this particular program as a PUA, it could be detected as such in the future. 

However, other programs which serve a similar purpose would now most likely be detected as a PUA after the settings you've changed.

[itman 1,748]

Let's discuss why ScreenConnect is a "potentially dangerous app."

Quote

Two days after an international team of authorities struck a major blow to LockBit, one of the Internet’s most prolific ransomware syndicates, researchers have detected a new round of attacks that are installing malware associated with the group.

The attacks, detected in the past 24 hours, are exploiting two critical vulnerabilities in ScreenConnect, a remote desktop application sold by Connectwise. According to researchers at two security firms—SophosXOps and Huntress—attackers who successfully exploit the vulnerabilities go on to install LockBit ransomware and other post-exploit malware. It wasn’t immediately clear if the ransomware was the official LockBit version.

“We can't publicly name the customers at this time but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown,” John Hammond, principal security researcher at Huntress, wrote in an email. “While we can't attribute this directly to the larger LockBit group, it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement.”

Hammond said the ransomware is being deployed to “vet offices, health clinics, and local governments (including attacks against systems related to 911 systems).”

https://arstechnica.com/security/2024/02/ransomware-associated-with-lockbit-still-spreading-2-days-after-server-takedown/

Proof of concept scenario.

1. Attacker phish's target to download and install a vulnerable version of ScreenConnect. He then exploits the remote code execution vulnerability to deliver ransomware, infostealer, you name it malware.

2. Attacker "tricks" target to download and install a vulnerable version of ScreenConnect; e.g. SEO poisoning, etc..

Edited July 17 by itman

[itman 1,748]

Now for the really weird stuff.

If you refer to this current forum posting: https://forum.eset.com/topic/41631-screenconnect-connect-wise-eset-blockigs/?do=getNewComment , Eset does detect ScreenConnect as a PUA!

When I downloaded the ScreenConnect installer, I didn't run it. Hopefully, Eset would detect it once installed, but that isn't really the way to do so.

It is possible what got installed on your device is an unknown undetected variant of ScreenConnect.

Most likely, Eset didn't alert you about ScreenConnect is because you had Potentially Unwanted App detection disabled.

Edited July 17 by itman

[Chas4 10]

3 hours ago, itman said:

Now for the really weird stuff.

If you refer to this current forum posting: https://forum.eset.com/topic/41631-screenconnect-connect-wise-eset-blockigs/?do=getNewComment , Eset does detect ScreenConnect as a PUA!

When I downloaded the ScreenConnect installer, I didn't run it. Hopefully, Eset would detect it once installed, but that isn't really the way to do so.

It is possible what got installed on your device is an unknown undetected variant of ScreenConnect.

Most likely, Eset didn't alert you about ScreenConnect is because you had Potentially Unwanted App detection disabled.

Might be specific versions of the program that are flagged