2,000+ Devices Hacked Using Weaponized Social Security Statement Themes

A sophisticated phishing campaign masquerading as official Social Security Administration (SSA) communications has successfully compromised more than 2,000 devices, according to a recent investigation.

The attack, which leverages the trust associated with government correspondence, represents a concerning evolution in social engineering tactics designed to deliver malicious payloads to unsuspecting victims.

The cybercriminals behind this operation employed a multi-stage approach, first luring victims with emails containing links to convincingly designed phishing pages hosted on Amazon Web Services infrastructure.

The deceptive campaign directed users to a fraudulent webpage that mimicked official SSA communications, prompting them to “Access The Statement” through a prominently displayed button.

Upon clicking, victims were redirected to a secondary page containing download instructions for what appeared to be their Social Security statement.

The malware, disguised with the filename “US_SocialStatmet_ID544124.exe,” was designed to appear legitimate while containing a sophisticated backdoor mechanism.

CyberArmor analysts identified the malware as a specialized .NET application loader that executes a multi-stage infection process.

Their analysis revealed that the initial executable serves as a wrapper that unpacks and launches embedded components designed to establish persistent remote access to victim systems.

Telemetry data from the security firm confirms that a significant percentage of the over 2,000 users who interacted with the phishing lure unknowingly installed the malicious software.

The campaign’s effectiveness stems from its exploitation of trusted entities – both the Social Security Administration’s authority and Amazon’s hosting reputation – to bypass users’ security skepticism.

The targeting appears broad rather than focused on specific industries, though financial and healthcare sectors have been advised to exercise particular vigilance.

Infection Mechanism

The malware’s technical sophistication becomes apparent upon examining its operational framework. When executed, the .NET loader retrieves and deploys multiple embedded resources critical to its functionality.

The primary components include a resolver responsible for loading dependencies stored in a ‘FILES’ folder, which are necessary to execute ScreenConnect remote access software.

The malware then runs an ‘ENTRYPOINT’ file that functions as the main backdoor component, establishing connection with the attacker’s command-and-control server at secure.ratoscbom.com on port 8041.

Analysis of the malware’s configuration reveals an XML structure that specifies the connection parameters for the ScreenConnect client.

This configuration contains encoded authentication credentials that enable the software to establish an unauthorized remote session without alerting the user.

The malware’s use of legitimate remote administration tools like ScreenConnect represents a concerning trend of “living off the land” techniques that leverage authorized software for malicious purposes.

The entire attack chain demonstrates a carefully orchestrated approach: from the initial phishing email, to the AWS-hosted landing page (hxxps://odertaoa[.]s3.us-east-1.amazonaws.com/ssa/US/index.html), to the downloadable executable with its embedded payload.

This multi-layered approach helps the attackers evade traditional security controls while maximizing infection success rates.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free tria