Cybersecurity researchers have uncovered an ongoing social engineering campaign that bombards businesses with spam emails in an effort to gain initial access to their environments for subsequent exploitation.
“The incident involved threat actors flooding users’ emails with spam,” said Rapid7 researchers Tyler McGraw, Thomas Elkins and Evan McCann. , and call the user to provide assistance.
“Threat actors will prompt affected users to download remote monitoring and management software such as AnyDesk, or use Microsoft’s built-in Quick Assist feature to establish a remote connection.”
The novel campaign is said to have been ongoing since late April 2024, with emails primarily consisting of newsletter sign-up confirmations from legitimate organizations, designed to overwhelm email protection solutions.
We then contact affected users by phone, pretending to be the company’s IT team, and trick them into installing remote desktop software under the guise of resolving email issues.
Remote access to its computer is then used to download additional payloads to obtain credentials and maintain persistence on the host.
This is accomplished by executing various batch scripts, one of which also establishes contact with a command and control (C2) server to download a legitimate copy of OpenSSH for Windows and ultimately initiate a reverse attack against the server. to shell.
In the incident observed by the cybersecurity firm, the threat actors behind the campaign attempted to deploy Cobalt Strike beacons to other assets within the compromised network, but were unsuccessful.
While there is no evidence that ransomware is part of the campaign, Rapid7 said the campaign overlaps with previously identified attack indicators associated with the Black Basta ransomware operator.
This attack chain is also used to provide additional remote monitoring and management tools, such as ConnectWise ScreenConnect, as well as a remote access Trojan called NetSupport RAT, which has recently been used by FIN7 attackers as part of a malvertising campaign.
This is especially noteworthy given the FIN7 actor’s suspected close ties to Black Basta. While FIN7 initially used point-of-sale (PoS) malware to conduct financial fraud, it has since transitioned to ransomware operations, either as an affiliate or operating under the names DarkSide and BlackMatter.
“After successfully accessing the compromised asset, Rapid7 observed the threat actor attempting to deploy a Cobalt Strike beacon (disguised as a legitimate dynamic link library (DLL) named 7z.DLL) to the same network as the compromised asset using the following command Other assets within: Impacket toolset,” Rapid7 said.
Phorpiex distributes LockBit Black
Meanwhile, Proofpoint has revealed details of a new LockBit Black (aka LockBit 3.0) ransomware campaign that leverages the Phorpiex (aka Trik) botnet as a conduit to deliver emails containing ransomware payloads.
It is estimated that millions of messages were sent in the massive campaign that began on April 24, 2024.
Proofpoint researchers said: “The LockBit Black samples in this campaign are likely built from the LockBit builder leaked in the summer of 2023.”
“LockBit Black creators provide threat actors with access to proprietary and sophisticated ransomware. This, combined with the long-standing Phorpiex botnet, has increased the scale of these threat campaigns and increased ransomware Chance of attack success.
A closer look at the Mallox ransomware group
According to Sekoia, ransomware attacks have also been observed to force Microsoft SQL servers to deploy Mallox file encryption malware through a .NET-based loader called PureCrypter.
Mallox is a closed ransomware group operating in Europe and is reported to have been spreading since at least June 2021. focus on.
It was observed that two different online characters associated with the group, namely Mallx and RansomR, actively recruited affiliates on several underground forums to carry out the operation.
Further analysis of the threat actor’s data exfiltration server and its darknet infrastructure revealed the names of various “staff” members, including Admin, Support, Maestro, Team, Neuroframe, Panda, Grindr, Hiervos, and Vampire.
“Mallox is almost certainly an opportunistic intrusion affecting organizations across a variety of verticals, particularly manufacturing, retail and technology,” the company said.
“While Mallox representatives actively seek out high-paying targets (as evidenced by job postings on cybercrime forums), the majority of ransomware victims known in open source are small and medium-sized businesses.”
9 Comments
Pingback: Ongoing campaign bombards businesses with spam emails and phone calls – Mary Ashley
Hello i think that i saw you visited my weblog so i came to Return the favore Im trying to find things to improve my web siteI suppose its ok to use some of your ideas
Simply wish to say your article is as amazing The clearness in your post is just nice and i could assume youre an expert on this subject Well with your permission let me to grab your feed to keep updated with forthcoming post Thanks a million and please carry on the gratifying work
Business dicker Good post! We will be linking to this particularly great post on our site. Keep up the great writing
Fourweekmba This was beautiful Admin. Thank you for your reflections.
Techarp I really like reading through a post that can make men and women think. Also, thank you for allowing me to comment!
Magnificent beat I would like to apprentice while you amend your site how can i subscribe for a blog web site The account helped me a acceptable deal I had been a little bit acquainted of this your broadcast offered bright clear idea
Tech to Force You’re so awesome! I don’t believe I have read a single thing like that before. So great to find someone with some original thoughts on this topic. Really.. thank you for starting this up. This website is something that is needed on the internet, someone with a little originality!
Magnificent beat I would like to apprentice while you amend your site how can i subscribe for a blog web site The account helped me a acceptable deal I had been a little bit acquainted of this your broadcast offered bright clear idea