Threat hunters have called attention to a new campaign as part of which bad actors masqueraded as fake IT support to deliver the Havoc command-and-control (C2) framework as a precursor to data exfiltration or ransomware attack.
The intrusions, identified by Huntress last month across five partner organizations, involved the threat actors using email spam as lures, followed by a phone call from an IT desk that activates a layered malware delivery pipeline.
“In one organization, the adversary moved from initial access to nine additional endpoints over the course of eleven hours, deploying a mix of custom Havoc Demon payloads and legitimate RMM tools for persistence, with the speed of lateral movement strongly suggesting the end goal was data exfiltration, ransomware, or both,” researchers Michael Tigges, Anna Pham, and Bryan Masters said.
It’s worth noting that the modus operandi is consistent with email bombing and Microsoft Teams phishing attacks orchestrated by threat actors associated with the Black Basta ransomware operation in the past. While the cybercrime group appears to have gone silent following a public leak of its internal chat logs last year, the continued presence of the group’s playbook suggests two possible scenarios.
One possibility is that former Black Basta affiliates have moved on to other ransomware operations and are using them to mount fresh attacks, or two, rival threat actors have adopted the same strategy to conduct social engineering and obtain initial access.Â
The attack chain begins with a spam campaign aiming to overwhelm a target’s inboxes with junk emails. In the next step, the threat actors, masquerading as IT support, contact the recipients and trick them into granting remote access to their machines either via a Quick Assist session or by installing tools like AnyDesk to help remediate the problem.
With the access in place, the adversary wastes no time launching the web browser and navigating to a fake landing page hosted on Amazon Web Services (AWS) that impersonates Microsoft and instructs the victim to enter their email address to access Outlook’s anti-spam rules update system and update the spam rules.
Clicking a button to “Update rules configuration” on the counterfeit page triggers the execution of a script that displays an overlay asking the user to enter their password.
“This mechanism serves two purposes: it allows the threat actor (TA) to harvest credentials, which, when combined with the required email address, provides access to the control panel; concurrently, it adds a layer of authenticity to the interaction, convincing the user the process is genuine,” Huntress said.
The attack also hinges on downloading the supposed anti-spam patch, which, in turn, leads to the execution of a legitimate binary named “ADNotificationManager.exe” (or “DLPUserAgent.exe” and “Werfault.exe”) to sideload a malicious DLL. The DLL payload implements defense evasion and executes the Havoc shellcode payload by…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
