Cyber Attack

Beware Of New Phishing Attack That Mimics ScreenConnect And Zoom

Zoom is a widely used videotelephony software used for virtual meetings, and its wide audience base attracts the hackers most.

Cyble Research & Intelligence Labs (CRIL) has uncovered a sophisticated phishing operation targeting Zoom users. 

The scheme utilizes a fraudulent portal that looks like Zoom’s website to attract the victims to download a remote access software called ScreenConnect.

After the installation, ScreenConnect is automatically able to connect to an unauthorized domain without the knowledge of the victim.

Such a breach provides the attackers with the ability to remotely control the affected machines and commit malicious activities.

Technical Analysis

The domain linked with the ScreenConnect installation resolves into an IP address that equally hosts another domain related to SSA account fraud activity.

This connection, highlighted by a Facebook user’s post, reveals a shared infrastructure used for multiple scams targeting diverse groups, indicating a broader, multi-faceted fraudulent operation.

Social media post reporting support scam (Source – Cyble)

An example of such a cyber threat is the Zoom phishing site that is visually portrayed in the figure that accompanies this text.

Using social engineering tactics, threat actors design phishing schemes aimed at controlling their targets to willingly give up the system.

Phishing site (Source – Cyble)

It normally starts with a false message purportedly from reliable companies like Amazon, PayPal, or an official government body.

They are forced to use compromised infrastructure such as calling targeted fake support numbers or going to fake websites.

They later used even this level of engagement to ensure the victims would install remote access software, mainly ScreenConnect (now known as ConnectWise Control).

The software upon execution establishes a connection to its command and control (C2) server that enables the perpetrator to take control over the victim machine with all its programs.

The malware deployment process often involves sophisticated obfuscation techniques, including the use of signed binaries and sequential installation.

For instance, a campaign used Zoom Zoom-based phishing site to deploy malware with a function of the binary named Private-Meeting.ClientSetup.exe which also contained several layered PE files.

This dependency would unpackage and execute an MSI silently using a stolen digital signature so that it appears legit.

After favorable conditions are met when the ScreenConnect client is launched, it would connect to a hard-coded command and control server like “poyttwq.zapto.org” on port 8041.

With this access, the attackers then choose to use it for their advantage by accessing or controlling the victims’ financial accounts, initiating fraudulent transactions, or forcing victims into transferring funds under various pretexts.

A specific type of this scam, analyzed within a CISA advisory, involved the impersonation of Geek Squad and resulted in great financial losses through fake refund overpayments.

The infrastructure supporting these operations is most of the time put into multi-fraud operations as in this case where the C2 server has other suspicious sites like “railindiaticket[.]in” which was used in SSA impersonators scams.

The latter approach is sometimes described as “pig butchering,’ where over time the aim is to take down the victims’ resources in a systematic way using persistence and abuse of personal details.

Recommendations

Here below we have mentioned all the recommendations:-

  • SSA uses official channels only.
  • Avoid links and sharing info from suspicious messages.
  • Confirm legitimacy by contacting SSA directly.
  • SSA never asks for software downloads.
  • Verify URLs are official SSA.

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitve Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

2 minutes ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

2 hours ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

2 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

2 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

1 day ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago