At least two US federal agencies fell victim to a “broader cyber campaign” that used legitimate remote monitoring and management (RMM) software to perpetuate phishing scams.
“Specifically, cybercriminals sent phishing emails to download legitimate RMM software, ScreenConnect (now ConnectWise Control) and AnyDesk, which the attackers used to compromise victims’ banks. It stole money from my account,” said a US cybersecurity official.
This joint advisory is from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multilateral Information Sharing and Analysis Center (MS-ISAC).
Although the attacks that occurred in mid-June and mid-September 2022 were financially motivated, the attackers used unauthorized access as a weapon for a variety of activities, including selling that access to other hacking teams. can do.
The use of remote software by criminal groups has long existed because it provides an effective pathway to establish local user access on a host without the need to elevate privileges or gain a foothold by other means. has been concerned.
In one instance, an attacker sent a phishing email containing a phone number to an employee’s government email address, directing the individual to a malicious domain. According to CISA, these emails are part of a help desk-themed social engineering attack orchestrated by the attackers to target federal government employees since at least June 2022.
Subscription-related messages either contain “first stage” fraudulent domains or engage in a tactic known as callback phishing, where attackers call phone numbers controlled by the attacker to reach the same domain. Invite recipients to access.
Regardless of the approach used, the malicious domain triggers a binary download, which connects to a second stage domain to obtain the RMM software in the form of a portable executable.
The ultimate goal is to initiate a refund scam using RMM software. This is accomplished by instructing the victim to log into their bank account. The attackers then modify the bank account summary to make it appear that the individual was accidentally refunded an excessive amount.
In the final step, the scammer urges the email recipient to refund an additional amount, effectively defrauding the funds.
CISA attributed this activity to a “massive Trojan operation” uncovered by cybersecurity firm Silent Push in October 2022. That said, other threat actors, including Luna Moth (aka Silent Ransom), employ similar phone-oriented attack delivery methods.
“This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software. from criminals to state-sponsored APTs) are known to use legitimate RMM software as: a backdoor for persistence and/or command and control (C2),” said each Agency warns.
