Cyble CRIL uncovered a Zoom-themed phishing site that leads victims to download ScreenConnect, enabling attackers to remotely access devices. The campaign also uses spam SSA-themed messages to push downloads and conduct multiple fraud schemes from the same infrastructure. #ScreenConnect #ZoomPhishing #SocialSecurityAdministration
Keypoints
- Phishing site mimics Zoom to facilitate the download of ScreenConnect software.
- ScreenConnect enables attackers to remotely access and control victims’ computers.
- The same infrastructure hosts other scams targeting SSA account holders.
- Spam emails falsely claim to be from SSA support, urging victims to download applications.
- Scammers manipulate refunds to pressure victims into transferring funds.
- The installation process is engineered to look legitimate, aided by digitally signed binaries and embedded resources.
MITRE Techniques
- [T1566] Phishing – Brief description: Uses phishing website to lure victims. “Uses phishing website to lure victims.”
- [T1219] Remote Access Software – Brief description: Installs ScreenConnect for remote access. “Installs ScreenConnect for remote access.”
- [T1204.002] User Execution: Malicious File – Brief description: Scammers rely on users to execute the ScreenConnect Software. “Scammers rely on users to execute the ScreenConnect Software.”
- [T1027] Obfuscated Files or Information – Brief description: .NET binaries are stored in the resource section of the main executable. “.NET binaries are stored in the resource section of the main executable.”
Indicators of Compromise
- [Domain] zoominvite.live – Phishing site
- [Domain] poyttwq.zapto.org – Remote server
- [Domain] railindiaticket.in – Phishing site
- [IP] 79.110.49.157 – Resolved IP
- [SHA256] 4e81851729d58f321bb83bdb03200f62bc5ee56e0703b2d609a3923a033d5b53 – Zoom.exe
- [File] Private-Meeting.ClientSetup.exe – Downloaded binary used to install ScreenConnect
Read more: https://cyble.com/blog/scammers-use-screenconnect-to-defraud-ssa-beneficiaries/