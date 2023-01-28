At least two federal agencies in the United States have fallen victim to a “widespread cyber campaign” involving the use of legitimate remote management and monitoring software (RMM software) to perpetuate a phishing scam.

How was this RMM software leveraged?

“In particular, the authors [in questione]cybercriminals sent phishing emails resulting in the download of legitimate RMM software – ScreenConnect (now ConnectWise Control) and AnyDesk – which the perpetrators used in a cashback scam to steal money from victims’ bank accounts“, they have stated the information security authorities of the United States.

The notice came simultaneously from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

the attacks, occurred between mid-June and mid-September of last year (of 2022), they have financial motivations, although unknown perpetrators could still weaponize unauthorized access to conduct a wide variety of activities, including selling that access to other hacker teams.

The use of remote software by criminal groups has long been a concern, as it offers an effective path to establishing local user access (often as an administrator) on a host without the need to elevate privileges ( precisely admin privileges) or gain a foothold by other means.

In one case, threat actors sent a phishing email containing a phone number to an employee’s government email address, prompting the victim to access a malicious domain; after which the emails, CISA said, are part of help desk-themed social engineering attacks orchestrated by these mysterious characters since at least June 2022 against federal employees.

Subscription-related missives either embed a link to a deceptive “first-stage” domain or employ a tactic known as callback phishing (a technique seen previously for other malware) to trick recipients into calling the phone number controlled by the author to visit the domain itself.

Regardless of the approach used, the malicious domain triggers the download of a binary file which then connects to a second stage domain to retrieve the RMM software in the form of “portable” executables (that is, that run without installation).

The ultimate goal is to exploit RMM software to start a refund scam, basically ransomware; this is achieved by instructing victims to access their bank accounts, after which the perpetrators of this computer “trick” modify the bank account summary to make it appear that the victim has been mistakenly repaid with a rather large amount of excess money.

In the final stage, the scam operators solicit the recipients of the email to refund the additional amount, effectively defrauding them of their funds.

CISA attributed the activity to a ‘major trojan operation’ revealed by cybersecurity firm Silent Push in October 2022; that said, similar phone-oriented attack delivery methods have been adopted by other players, including the Luna Moth (also known as the Silent Ransom).

“This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the targeted network via phishing or other techniques, the perpetrators, various malicious cybercriminals – from simple cyber criminals to APTs sponsored by other countries – are known to use legitimate RMM software as a backdoor to the [sua] persistence and/or the command and control (C2)“, the agencies warned.

Also in this case the authors send mail

Note that as in many other cases previously documented, everything starts from scam and deceptive emails: it is therefore necessary to train employees and various personnel who work with the Internet to recognize these traps “on sight”.