An an ongoing campaign of social engineering with alleged ties to the Black Basta ransomware group, has been linked to “several attempted intrusions” to steal credentials and deploy malware called SystemBC.
“The initial bait used by threat actors remains the same: an email bomb followed by an attempt to call affected users and offer a fake solution,” Rapid7. saidadding that “external calls were typically made to affected users through Microsoft Teams.”
The attack chain then convinces the user to download and install a legitimate remote access software called AnyDesk, which acts as a conduit to deploy the following payloads and steal sensitive data.
This involves using an executable file called “AntiSpam.exe” that purports to download email spam filters and prompt users to enter their Windows credentials to complete the update.
After this step, several binaries, DLLs, and PowerShell scripts are executed, which include a Golang-based HTTP beacon that establishes communication with the remote server, a SOCKS proxy, and SystemBC.
To reduce the risk associated with the threat, it is recommended that you block all unapproved remote desktop solutions and monitor suspicious phone calls and text messages purporting to be from internal IT personnel.
Disclosure occurs as SocGholish (aka FakeUpdates), GootLoaderand Crimson Robin according to ReliaQuest data, in 2024 became the most common downloaders, which then act as a stepping stone for ransomware.
“GootLoader entered the top three this year, replacing QakBot as activity declined,” the cybersecurity firm reported. said.
“Malware downloaders are often advertised on cybercriminal forums on the dark web, such as XSS and Exploit, where they are sold to cybercriminals looking to facilitate network infiltration and payload delivery. These bootloaders are often offered through subscription models, with a monthly fee providing access to regular updates, support and new features designed to evade detection.”
One of the benefits of this subscription-based approach is that it allows even threat actors with limited technical expertise to launch sophisticated attacks.
Phishing attacks have also been observed that deliver information-stealing malware known as 0bj3ctivity Stealer using another loader called Ande Loader as part of a multi-layered distribution mechanism.
“The spread of malware through obfuscated and encrypted scripts, memory injection techniques, and the continued improvement of Ande Loader with features such as anti-debugging and string obfuscation highlight the need for advanced detection mechanisms and continuous research” — eSentire said.
The companies are just the latest in a series of phishing and social engineering attacks that have been discovered in recent weeks, even as threat actors become more common using fake QR codes for harmful purposes –
- A ClearFake company that levers compromised web pages to distribute .NET malware by pretending to download a Google Chrome update
- A company which uses fake websites posing as HSBC, Santander, Virgin Money and Wise to deliver a copy of AnyDesk remote monitoring and management (RMM) software to Windows and macOS users, which is then used to steal sensitive data
- A fake website (“win-rar(.)co”), which appears to distribute WinRAR, which is used to deploy ransomware, a cryptocurrency miner, and an information stealer called The death of theft which are hosted on GitHub
- A social media advertising campaign that hijacks Facebook pages to promote a seemingly legitimate artificial intelligence (AI) photo editor website through paid ads that entice victims to download the ITarian RMM tool and use it to deliver Lumma Stealer
“The targeting of social media users for malicious activities highlights the importance of robust security measures to protect account credentials and prevent unauthorized access,” Trend Micro researchers said.
