Unwanted Gifts: Major Campaign Lures Targets with Fake Party Invites

MITRE Techniques

• [T1566] Phishing – The campaign begins with phishing emails using lures such as “Party Invitation” or “December Holiday Party” to deliver malicious URLs (“The emails contain malicious URLs linking to setup executables or MSI installers.”).
• [T1204] User Execution – Malicious MSI/EXE installers are delivered and executed by victims (“The emails contain malicious URLs linking to setup executables or MSI installers.”).
• [T1071] Application Layer Protocol – Attackers use legitimate remote access RMM applications (ScreenConnect, LogMeIn Resolve, Naverisk) to communicate and move laterally (“ScreenConnect would then be used to download an additional attacker toolset.” ).
• [T1574] Hijack Execution Flow (Signed Installer Abuse) – Signed installers are used to deliver RMM installers and secondary tools, abusing legitimate installation flows (“The emails contain malicious URLs linking to setup executables or MSI installers. In some cases the installers are signed.”).
• [T1536] Credentials from Web Browsers – Tools like WebBrowserPassView are used to harvest stored browser credentials (“WebBrowserPassView: A password-recovery tool that reveals the passwords stored by multiple web browsers.”).
• [T1562] Impair Defenses – Tools such as Defender Control are deployed to disable Windows Defender (“Defender Control: A tool for disabling Windows Defender.”).
• [T1105] Ingress Tool Transfer – Secondary tools (HideMouse, WebBrowserPassView, Defender Control, others) are downloaded and installed post-compromise via RMM channels (“ScreenConnect would then be used to download an additional attacker toolset.”).
• [T1090] Proxy/Redundancy via Multiple RMMs – Installing multiple RMM tools over time to maintain access and redundancy (“They are now infecting its victims with multiple RMM tools… often a period of time can elapse between installations.”).