Threat Research

Continuous Update of Social Engineering Campaign Payloads | Rapid7 Blog

Securonix

Rapid7 identified ongoing social engineering campaigns where threat actors lure users via email bombs and follow-up calls to coax them into downloading AnyDesk for remote access, enabling payload deployment and data exfiltration. The campaigns feature a new credential-harvesting tool (AntiSpam.exe), multiple payloads (including SystemBC), CVE-2022-26923 exploitation, and reverse SSH tunnels for lateral movement, with mitigations emphasizing application allowlisting and user education. #AnyDesk #AntiSpamExe #SystemBC #CVE-2022-26923

Keypoints

  • Threat actors employ social engineering via email and phone to initiate intrusions.
  • Victims are lured to download AnyDesk to enable remote access for attackers.
  • A new credential harvesting tool, AntiSpam.exe, has been observed.
  • Payloads include SystemBC malware and attempts to exploit CVE-2022-26923.
  • Reverse SSH tunnels are used to facilitate lateral movement within networks.
  • Rapid7 recommends application allowlisting and user education to mitigate risk.

MITRE Techniques

  • [T1003] Credential Dumping – Credential harvester AntiSpam.exe collects user credentials and saves them to disk. ‘The credential harvester AntiSpam.exe collects user credentials and saves them to disk.’
  • [T1219] Remote Access Tools – AnyDesk is used for remote access to the victim’s machine. ‘AnyDesk is used for remote access to the victim’s machine.’
  • [T1203] Exploitation of Vulnerability – Exploits CVE-2022-26923 to add a machine account for privilege escalation. ‘Exploits CVE-2022-26923 to add a machine account for privilege escalation.’
  • [T1071] Command and Control – Various payloads establish connections to command and control servers. ‘Various payloads establish connections to command and control servers.’
  • [T1021] Lateral Movement – Reverse SSH tunnels are used to move laterally within the network. ‘Reverse SSH tunnels are used to move laterally within the network.’

Indicators of Compromise

  • [Domain/IPv4 Address] NBIs – spamicrosoft[.]com, 37.221.126[.]202, 91.196.70[.]160 (Socks proxy server). The NBIs are used for external Microsoft Teams communications and C2/socks proxy operations.
  • [File] HBIs – AntiSpam.exe (ed062c189419bca7d8c816bcdb1a150c7ca7dd1ad6e30e1f46fae0c10ab062ef, d512bf205fb9d1c429a7f11f3b720c74680ea88b62dda83372be8f0de1073a08); update1.exe (24b6ddd3028c28d0a13da0354333d19cbc8fd12d4351f083c8cb3a93ec3ae793); update4.exe (9c1e0c8c5b9b9fe9d0aa533fb7d9d1b57db98fd70c4f66a26a3ed9e06ac132a7). These correspond to credential harvesting and socks proxy payloads with original filenames noted in the article.

Read more: https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint