Some companies don't even know who is actually flooding them with emails.
The researchers found an actively developing social engineering campaign aimed at obtaining initial access to corporate IT systems for their further operation. Attackers bombard businesses with spam mailings to capture the attention of employees.
According to Rapid7, hackers literally flood victims with useless emails, and then call them, posing as IT specialists of the company and offering help in solving the problem. Users are asked to install remote management software like AnyDesk or use the Quick Assist tool built into Windows.
The campaign has been running since the end of April 2024. Spam mostly consists of emails confirming subscriptions to various mailing lists from legitimate organizations. The method also aims to overload the protection against unwanted messages on corporate servers.
After gaining remote access, cybercriminals download malware to steal credentials and ensure a persistent presence on compromised systems. Various batch scripts are used for this purpose.One of them establishes a connection to the management server, loads OpenSSH for Windows, and runs a reverse web shell.
In one of the recorded cases, attackers tried to deploy the Cobalt Strike malware for distribution over the corporate network, but this attempt was unsuccessful. At the same time, remote administration tools such as ConnectWise ScreenConnect and the NetSupport RAT Trojan were used.
The researchers note that the company is very similar to previous operations related to the Black Basta ransomware. It also traces the involvement of the hacker group FIN7, which recently used NetSupport RAT in a malvertising campaign.
Initially, FIN7 specialized in financial fraud using software to steal payment terminal data. However, recently the group has been re-qualified as an extortionist, acting either as an affiliated partner or independently under the names DarkSide and BlackMatter.
Although at the moment there is no evidence of ransomware activity in the framework of the described operation, experts warn that its participants have all the necessary capabilities to conduct attacks of this type.
The researchers found an actively developing social engineering campaign aimed at obtaining initial access to corporate IT systems for their further operation. Attackers bombard businesses with spam mailings to capture the attention of employees.
According to Rapid7, hackers literally flood victims with useless emails, and then call them, posing as IT specialists of the company and offering help in solving the problem. Users are asked to install remote management software like AnyDesk or use the Quick Assist tool built into Windows.
The campaign has been running since the end of April 2024. Spam mostly consists of emails confirming subscriptions to various mailing lists from legitimate organizations. The method also aims to overload the protection against unwanted messages on corporate servers.
After gaining remote access, cybercriminals download malware to steal credentials and ensure a persistent presence on compromised systems. Various batch scripts are used for this purpose.One of them establishes a connection to the management server, loads OpenSSH for Windows, and runs a reverse web shell.
In one of the recorded cases, attackers tried to deploy the Cobalt Strike malware for distribution over the corporate network, but this attempt was unsuccessful. At the same time, remote administration tools such as ConnectWise ScreenConnect and the NetSupport RAT Trojan were used.
The researchers note that the company is very similar to previous operations related to the Black Basta ransomware. It also traces the involvement of the hacker group FIN7, which recently used NetSupport RAT in a malvertising campaign.
Initially, FIN7 specialized in financial fraud using software to steal payment terminal data. However, recently the group has been re-qualified as an extortionist, acting either as an affiliated partner or independently under the names DarkSide and BlackMatter.
Although at the moment there is no evidence of ransomware activity in the framework of the described operation, experts warn that its participants have all the necessary capabilities to conduct attacks of this type.
