Hackers Mimic Social Security Administration To Deliver ConnectWise RAT

A phishing campaign spoofing the United States Social Security Administration emerged in September 2024, delivering emails with embedded links to a ConnectWise Remote Access Trojan (RAT) installer. 

These emails, disguised as updated benefits statements, employed various techniques, including mismatched links and “View Statement” buttons, to deceive recipients. 

It initially leveraged ConnectWise infrastructure for its command and control (C2) but later transitioned to dynamic DNS services and threat actor-hosted domains.

Observed activity increased significantly in early to mid-November, peaking around Election Day, suggesting a potential connection to the political climate.

Threat actors are employing sophisticated brand spoofing tactics in email campaigns targeting individuals, which leverage recognizable assets like logos from legitimate entities, such as the Social Security Administration, to create an illusion of authenticity. 

By embedding deceptive links that mimic official government webpages, these emails aim to trick recipients into clicking.

This can lead to malware infections or data theft, underscoring the increasing sophistication of cyber threats and the importance of robust cybersecurity measures for individuals and organizations.

Through the use of a deceptive, one-time-use mechanism, the embedded link is able to redirect users to a ConnectWise RAT installer when they initially access the link.

However, subsequent attempts to access the same link redirect the user to a legitimate Social Security Administration website, suggesting the use of browser cookies to track previous visits. 

By setting a cookie during the first access, the system distinguishes between initial and repeat attempts.

This effectively limits the malicious payload delivery to a single instance per user, making analysis more challenging and increasing the difficulty of identifying and mitigating the threat.

Threat actors deploy credential phishing campaigns utilizing social engineering techniques as they craft emails mimicking legitimate entities (e.g., the Social Security Administration) to lure victims into clicking on malicious links. 

According to Cofense Intelligence, these links often lead to websites disguised as official portals requesting sensitive personal information. Data, including PII, financial details, and security questions like a mother’s maiden name, is harvested for identity theft and account takeover.

The phishing pages may also include malicious downloads such as Remote Access Trojans (RATs), granting attackers remote control over the victim’s device.

This enables threat actors to compromise accounts, steal funds, and potentially exploit the victim’s digital footprint further.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free