Ongoing Campaign Bombards Enterprises with Spam Emails and Phone Calls

Cybersecurity researchers at Rapid7 have uncovered an ongoing social engineering campaign that barrages enterprises with spam emails with the goal of obtaining initial access to their environments for follow-on exploitation. The social engineering tactics involve overwhelming a potential victim’s email with junk mail, calling the victim user, and offering them assistance with the issue. The attacker establishes a remote connection by convincing the victim to download remote monitoring software such as AnyDesk or Microsoft Quick Assist. The campaign is assessed by researchers to be active since late April 2024. The overwhelming spam emails use confirmation messages from legitimate organizations to bypass email protection solutions. Impacted individuals are then contacted via phone call, with the attacker masquerading as the victim organization’s IT team, offering them “support” and convincing them to download remote desktop software to help resolve the email issues to facilitate initial access. This remote access is leveraged to deploy additional malware to harvest credentials and establish persistence. By executing various batch scripts, the attacker communicates with their C2 server to download OpenSSH and initiate a reverse shell.

Security Officer Comments:
When observing this cluster of activity, researchers discovered the threat actor’s unsuccessful attempt to deploy Cobalt Strike beacons disguised as a legitimate Dynamic Link Library (DLL) to other potentially lucrative assets in the compromised network. There is no evidence of ransomware deployment at this time, but this activity aligns with previously identified IOCs associated with Black Basta, an active ransomware group. The attack chain has also been used to deliver additional tools like ConnectWise ScreenConnect and a remote access trojan called NetSupport RAT, which has been recently put to use by FIN7 actors as part of a malvertising campaign. It's notable that FIN7 and Black Basta are suspected to have a symbiotic relationship as FIN7 have shifted their focus to conducting ransomware attacks under the monikers DarkSide and BlackMatter. Another campaign conducted by LockBit Black recently leveraging similar phishing techniques and the Phorpiex botnet to deliver emails containing a ransomware payload. These are likely attacks from an affiliate actor as these attacks are suspected to be built using the LockBit Builder leaked in the Summer of 2023.

Suggested Corrections:
Rapid7 recommends ensuring users are aware of established IT channels and communication methods to identify and prevent common social engineering attacks. We also recommend ensuring users are empowered to report suspicious phone calls and texts purporting to be from internal IT staff.

Rapid7 recommends baselining your environment for all installed remote monitoring and management solutions and utilizing application allowlisting solutions, such as AppLocker or Microsoft Defender Application Control, to block all unapproved RMM solutions from executing within the environment. For example, the Quick Assist tool, quickassist.exe, can be blocked from execution via AppLocker. As an additional precaution, Rapid7 recommends blocking domains associated with all unapproved RMM solutions.

A public GitHub repo containing a catalog of RMM solutions, their binary names, and associated domains can be found here.