Researchers at Forcepoint X-labs found a campaign targeting organisations in the UK, US, Canada, and Northern Ireland where attackers impersonate the US Social Security Administration to trick users into running a malicious .cmd script. The script disables Windows defenses, hides payloads using Alternate Data Streams, and silently installs ConnectWise ScreenConnect as a persistent RAT to access high-value sectors; #SSA #ConnectWiseScreenConnect
Keypoints
- The campaign begins with a phishing email using a fake SSA domain and spelling errors to lure victims.
- A delivered .cmd script uses PowerShell auto-elevation to obtain administrator privileges.
- The script disables Windows SmartScreen, removes the Mark-of-the-Web, and uses Alternate Data Streams to hide files.
- It silently installs ConnectWise ScreenConnect v25.2.4.9229 with a revoked certificate and a hardcoded callback to dof-connecttop on the Aria Shatel Company Ltd network (Iran) via port 8041.
- Attackers focus on government, healthcare, and logistics data; treat unexpected government attachments as potential threats.
Read More: https://hackread.com/hackers-screenconnect-hijack-pcs-fake-social-security-emails/