FOCUS MODE
EXTRACT IOC
Threat Research

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

Sophos
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
In late January 2025, an MSP administrator fell victim to a sophisticated phishing email that mimicked an authentication alert for a remote management tool, leading to a ransomware attack by Qilin actors. This incident emphasizes the vulnerabilities faced by MSPs and their clients to phishing campaigns. The attackers utilized lookalike domains and techniques like evilginx to harvest credentials. Affected: Managed Service Providers, Cybersecurity

Keypoints :

  • Phishing email targeted an MSP administrator, claiming to be an authentication alert.
  • Qilin ransomware actors gained access to administrator’s credentials and launched attacks on MSP customers.
  • Attack attributed to ransomware affiliate STAC4365, with a history of similar phishing activities.
  • Fake ScreenConnect domains used to intercept credentials and MFA tokens.
  • The phishing campaign utilized the evilginx framework for credential harvesting.
  • Qilin ransomware applies double extortion through a Tor-based data-leak site.
  • Attackers utilized compromised credentials to deploy ransomware to multiple customer environments.
  • Defense evasion tactics were leveraged, such as modifying boot options and utilizing Incognito mode.
  • Unique ransom notes were tailored for individual victims, indicating specific targeting.

MITRE Techniques :

  • T1071.001: Application Layer Protocol – Web Protocols used for phishing traffic.
  • T1070.004: Indicator Removal on Host – Cleared logs after executing the attack.
  • T1078: Valid Accounts – Gained access using stolen administrative credentials.
  • T1190: Exploit Public-Facing Application – Exploited the legitimate ScreenConnect application via a phishing technique.
  • T1098: Account Manipulation – Changed user account credentials during the attack.
  • T1557: Adversary-in-the-Middle – Used evilginx for credential harvesting.
  • T1027.002: Obfuscated Files or Information – Utilized disguised malicious files such as ‘ru.msi’ and ‘veeam.exe’.

Indicator of Compromise :

  • [Domain] cloud.screenconnect[.]com.ms
  • [Domain] awstrack[.]me
  • [IP Address] 186.2.163[.]10
  • [Hash]
  • [URL] hxxps[:]//cloud.screenconnect[.]com.ms/suKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410

Full Story: https://news.sophos.com/en-us/2025/04/01/sophos-mdr-tracks-ongoing-campaign-by-qilin-affiliates-targeting-screenconnect/

Views: 36

Tags: BROWSER, CREDENTIAL, DEFENSE EVASION, VULNERABILITY, EXFILTRATION, TOOL, PASSWORD, CVE