Friday, February 7, 2025
HomeCyber CrimeHackers Mimic Social Security Administration To Deliver ConnectWise RAT

Hackers Mimic Social Security Administration To Deliver ConnectWise RAT

Published on

SIEM as a Service

Follow Us on Google News

A phishing campaign spoofing the United States Social Security Administration emerged in September 2024, delivering emails with embedded links to a ConnectWise Remote Access Trojan (RAT) installer. 

These emails, disguised as updated benefits statements, employed various techniques, including mismatched links and “View Statement” buttons, to deceive recipients. 

It initially leveraged ConnectWise infrastructure for its command and control (C2) but later transitioned to dynamic DNS services and threat actor-hosted domains.

Observed activity increased significantly in early to mid-November, peaking around Election Day, suggesting a potential connection to the political climate.

Threat actors are employing sophisticated brand spoofing tactics in email campaigns targeting individuals, which leverage recognizable assets like logos from legitimate entities, such as the Social Security Administration, to create an illusion of authenticity. 

By embedding deceptive links that mimic official government webpages, these emails aim to trick recipients into clicking.

This can lead to malware infections or data theft, underscoring the increasing sophistication of cyber threats and the importance of robust cybersecurity measures for individuals and organizations.

A sample Social Security Administration-spoofing email using branded image assets

Through the use of a deceptive, one-time-use mechanism, the embedded link is able to redirect users to a ConnectWise RAT installer when they initially access the link.

However, subsequent attempts to access the same link redirect the user to a legitimate Social Security Administration website, suggesting the use of browser cookies to track previous visits. 

By setting a cookie during the first access, the system distinguishes between initial and repeat attempts.

This effectively limits the malicious payload delivery to a single instance per user, making analysis more challenging and increasing the difficulty of identifying and mitigating the threat.

When accessing the link on subsequent attempts, the site redirects to an official Social Security site.

Threat actors deploy credential phishing campaigns utilizing social engineering techniques as they craft emails mimicking legitimate entities (e.g., the Social Security Administration) to lure victims into clicking on malicious links. 

According to Cofense Intelligence, these links often lead to websites disguised as official portals requesting sensitive personal information. Data, including PII, financial details, and security questions like a mother’s maiden name, is harvested for identity theft and account takeover.

The phishing pages may also include malicious downloads such as Remote Access Trojans (RATs), granting attackers remote control over the victim’s device.

This enables threat actors to compromise accounts, steal funds, and potentially exploit the victim’s digital footprint further.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...