Security analysts have discovered an active social engineering campaign targeting enterprises, utilizing spam emails to gain initial access to their networks for subsequent exploitation.
“The incident entails a threat actor inundating a user’s email with spam while also reaching out via phone call, purportedly offering assistance,” explained Rapid7 researchers Tyler McGraw, Thomas Elkins, and Evan McCann.
Rapid7 has detected an ongoing social engineering campaign targeting several managed detection and response (MDR) clients. In this scenario, the threat actor inundates a user’s email with spam and follows up with a phone call, offering assistance. The actor then encourages affected users to install remote monitoring and management software like AnyDesk or use Microsoft’s Quick Assist feature to establish a remote connection. Once connected, the threat actor proceeds to download payloads from their infrastructure to harvest user credentials and maintain persistence on the compromised device.
In one instance, Rapid7 observed the threat actor deploying Cobalt Strike beacons to other devices within the compromised network. While no ransomware deployment was observed in the cases Rapid7 handled, the observed indicators of compromise were previously associated with the Black Basta ransomware operators, as per OSINT and other incident response engagements managed by Rapid7.
The attack chain has also been leveraged to distribute additional remote monitoring and management tools like ConnectWise ScreenConnect, along with a remote access trojan known as NetSupport RAT. Recently, this RAT has been utilized by FIN7 actors in a malvertising campaign.
This development is significant given the suspected affiliations between FIN7 and Black Basta. Initially known for point-of-sale (PoS) malware for financial fraud, FIN7 has transitioned to ransomware operations, either as affiliates or independently under aliases such as DarkSide and BlackMatter.
“After gaining access to the compromised asset, Rapid7 observed the threat actor attempting to deploy Cobalt Strike beacons, camouflaged as a legitimate Dynamic Link Library (DLL) named 7z.DLL, across other assets within the same network using the Impacket toolset,” revealed Rapid7.
Proofpoint has unveiled details of a fresh LockBit Black (also known as LockBit 3.0) ransomware campaign, wherein the Phorpiex (also known as Trik) botnet serves as a conduit for delivering email messages containing the ransomware payload.
The campaign, initiated on April 24, 2024, witnessed the distribution of millions of messages in what appears to be a high-volume operation. At present, the identity of the perpetrators remains unclear.
Researchers from Proofpoint pointed out that the LockBit Black sample observed in this campaign likely originates from the LockBit builder leaked during the summer of 2023. They emphasized that this builder grants threat actors access to proprietary and sophisticated ransomware, and when coupled with the well-established Phorpiex botnet, significantly escalates the scope and potential success of such ransomware attacks.
Found this article interesting? Follow us on X and LinkedIn to read more exclusive content we post.
The subsequent time I learn a blog, I hope that it doesnt disappoint me as a lot as this one. I imply, I know it was my option to learn, but I truly thought youd have one thing interesting to say. All I hear is a bunch of whining about one thing that you can repair in the event you werent too busy in search of attention.
Today, I went to the beachfront with my kids. I found a sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She placed the shell to her ear and screamed. There was a hermit crab inside and it pinched her ear. She never wants to go back! LoL I know this is totally off topic but I had to tell someone!
This is really interesting, You’re a very skilled blogger. I have joined your rss feed and look forward to seeking more of your fantastic post. Also, I’ve shared your site in my social networks!
Hey there! This is my first comment here so I just wanted to give a quick shout out and tell you I genuinely enjoy reading your articles. Can you recommend any other blogs/websites/forums that go over the same subjects? Thanks for your time!
Thank you for providing me with these article examples. May I ask you a question? http://www.ifashionstyles.com