Beware Of New Phishing Attack That Mimics ScreenConnect And Zoom

Zoom is a widely used videotelephony software used for virtual meetings, and its wide audience base attracts the hackers most.

Cyble Research & Intelligence Labs (CRIL) has uncovered a sophisticated phishing operation targeting Zoom users. 

The scheme utilizes a fraudulent portal that looks like Zoom’s website to attract the victims to download a remote access software called ScreenConnect.

After the installation, ScreenConnect is automatically able to connect to an unauthorized domain without the knowledge of the victim.

Such a breach provides the attackers with the ability to remotely control the affected machines and commit malicious activities.

Technical Analysis

The domain linked with the ScreenConnect installation resolves into an IP address that equally hosts another domain related to SSA account fraud activity.

This connection, highlighted by a Facebook user’s post, reveals a shared infrastructure used for multiple scams targeting diverse groups, indicating a broader, multi-faceted fraudulent operation.

An example of such a cyber threat is the Zoom phishing site that is visually portrayed in the figure that accompanies this text.

Using social engineering tactics, threat actors design phishing schemes aimed at controlling their targets to willingly give up the system.

It normally starts with a false message purportedly from reliable companies like Amazon, PayPal, or an official government body.

They are forced to use compromised infrastructure such as calling targeted fake support numbers or going to fake websites.

They later used even this level of engagement to ensure the victims would install remote access software, mainly ScreenConnect (now known as ConnectWise Control).

The software upon execution establishes a connection to its command and control (C2) server that enables the perpetrator to take control over the victim machine with all its programs.

The malware deployment process often involves sophisticated obfuscation techniques, including the use of signed binaries and sequential installation.

For instance, a campaign used Zoom Zoom-based phishing site to deploy malware with a function of the binary named Private-Meeting.ClientSetup.exe which also contained several layered PE files.

This dependency would unpackage and execute an MSI silently using a stolen digital signature so that it appears legit.

After favorable conditions are met when the ScreenConnect client is launched, it would connect to a hard-coded command and control server like “poyttwq.zapto.org” on port 8041.

With this access, the attackers then choose to use it for their advantage by accessing or controlling the victims’ financial accounts, initiating fraudulent transactions, or forcing victims into transferring funds under various pretexts.

A specific type of this scam, analyzed within a CISA advisory, involved the impersonation of Geek Squad and resulted in great financial losses through fake refund overpayments.

The infrastructure supporting these operations is most of the time put into multi-fraud operations as in this case where the C2 server has other suspicious sites like “railindiaticket[.]in” which was used in SSA impersonators scams.

The latter approach is sometimes described as “pig butchering,’ where over time the aim is to take down the victims’ resources in a systematic way using persistence and abuse of personal details.

Recommendations

Here below we have mentioned all the recommendations:-

• SSA uses official channels only.
• Avoid links and sharing info from suspicious messages.
• Confirm legitimacy by contacting SSA directly.
• SSA never asks for software downloads.
• Verify URLs are official SSA.

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download