An ongoing social engineering campaign with alleged links to the Black Basta ransomware group has been linked to “multiple intrusion attempts” with the goal of conducting credential theft and deploying a malware dropper called SystemBC.
“The initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted users and offer a fake solution,” Rapid7 said, adding “external calls were typically made to the impacted users via Microsoft Teams.”
The attack chain then convinces the user to download and install a legitimate remote access software named AnyDesk, which acts as a channel for deploying follow-on payloads and exfiltrate sensitive data.
This includes the use of an executable called “AntiSpam.exe” that purports to download email spam filters and urges users to enter their Windows credentials to complete the update.
The step is followed by the execution of several binaries, DLL files, and PowerShell scripts, which includes a Golang-based HTTP beacon that establishes contact with a remote server, a SOCKS proxy, and SystemBC.
To mitigate the risk posed by the threat, it’s advised to block all unapproved remote desktop solutions and be on the lookout for suspicious phone calls and texts purporting to be from internal IT staff.
The disclosure comes as SocGholish (aka FakeUpdates), GootLoader, and Raspberry Robin have emerged as the most commonly observed loader strains in 2024, which then act as a stepping stone for ransomware, according to data from ReliaQuest.
“GootLoader is new to the top-three list this year, replacing QakBot as its activity declines,” the cybersecurity company said.
“Malware loaders are frequently advertised on dark web cybercriminal forums such as XSS and Exploit, where they are marketed to cybercriminals seeking to facilitate network intrusions and payload delivery. These loaders are often offered through subscription models, with monthly fees granting access to regular updates, support, and new features designed to evade detection.”
One advantage to this subscription-based approach is that it allows even threat actors with limited technical expertise to mount sophisticated attacks.
Phishing attacks have also been observed delivering an information stealer malware known as 0bj3ctivity Stealer by means of another loader called Ande Loader as part of a multi-layered distribution mechanism.
“The malware’s distribution through obfuscated and encrypted scripts, memory injection techniques, and the ongoing enhancement of Ande Loader with features like anti-debugging and string obfuscation underscore the need for advanced detection mechanisms and continuous research,” eSentire said.
These campaigns are just the latest in a spate of phishing and social engineering attacks that have been uncovered in recent weeks, even as threat actors are increasingly weaponizing fake QR codes for malicious purposes –
- A ClearFake campaign that leverages compromised web pages to spread .NET malware under the pretext of downloading a Google Chrome update
- A campaign that uses fake websites masquerading as HSBC, Santander, Virgin Money, and Wise to serve a copy of the AnyDesk Remote Monitoring and Management (RMM) software to Windows and macOS users, which is then used to steal sensitive data
- A fake website (“win-rar[.]co”) seemingly distributing WinRAR that’s used to deploy ransomware, cryptocurrency miner, and information stealer called Kematian Stealer that are hosted on GitHub
- A social media malvertising campaign that hijacks Facebook pages to promote a seemingly legitimate artificial intelligence (AI) photo editor website through paid ads that lure victims to download ITarian’s RMM tool and use it to deliver Lumma Stealer
“The targeting of social media users for malicious activities highlights the importance of robust security measures to protect account credentials and prevent unauthorized access,” Trend Micro researchers said.