Over 2,000 Devices Compromised by Weaponized Social Security Statement Phishing Attacks
CyberArmor analysts have uncovered a meticulously crafted phishing campaign that has already compromised over 2,000 devices by exploiting the trusted theme of Social Security Administration (SSA) statements.
Cybercriminals behind this operation deployed a highly convincing email lure masquerading as an official SSA communication, deceiving users into downloading malicious software.
The campaign’s technical sophistication, coupled with its psychological manipulation, underscores the growing audacity of threat actors in leveraging legitimate-looking infrastructure to perpetrate their attacks.
Sophisticated Phishing Campaign
The attack begins with a phishing email containing a URL that redirects victims to a counterfeit webpage hosted on Amazon Web Services (AWS) at hxxps://odertaoa[.]s3.us-east-1.amazonaws.com/ssa/US/index.html.
This strategic choice of hosting on a trusted platform like AWS likely aimed to lower suspicion among users unfamiliar with phishing tactics.
Once on the fake page, users are prompted to click “Access The Statement,” leading them to a secondary page with instructions to download a file named US_SocialStatmet_ID544124.exe.
Further instructions guide victims to execute the file, effectively installing malware on their systems.
This multi-stage deception highlights the attackers’ focus on user manipulation to ensure successful infection.
Malware Mechanics
Delving into the malware’s technical composition, the file identified by its SHA256 hash 1c939551452b2137b2bd727f13fab80da192f174d0311d23fc3c1c531cefdc87 is a .NET application loader.
Upon execution, it unpacks and runs an embedded .NET application from its resources, initiating a two-pronged infection process.
The first component, a .NET resolver, loads additional dependencies from a “FILES” folder to support the deployment of ScreenConnect software, a legitimate remote desktop tool repurposed for malicious intent.
The second component, dubbed the “ENTRYPOINT” file, acts as the primary backdoor, fetching a command-and-control (C2) server address secure.ratoscbom.com:8041 hardcoded within the loader.
This enables the malware to establish a silent connection to the attacker’s infrastructure, granting unauthorized remote access to compromised systems.
The scope of this campaign is alarming, with CyberArmor’s telemetry confirming that a significant portion of the 2,000+ users who interacted with the phishing lure unknowingly installed the malware.
This incident serves as a stark reminder of the persistent threat posed by social engineering attacks, particularly those impersonating government entities.
To combat such threats, users are urged to verify all SSA communications by accessing documents exclusively through the official ssa.gov portal.
According to the Report, Organizations should bolster endpoint protection with real-time monitoring for unauthorized remote desktop tools and prioritize user training to recognize phishing attempts mimicking official correspondence.
Additionally, network traffic to suspicious IPs associated with ScreenConnect should be flagged and investigated promptly.
CyberArmor continues to track this campaign and its associated infrastructure, urging heightened vigilance, especially among finance and healthcare sectors, which are often prime targets for such attacks.
Indicators of Compromise (IOC)
| Indicator Type | Value |
|---|---|
| SHA256 | 1c939551452b2137b2bd727f13fab80da192f174d0311d23fc3c1c531cefdc87 |
| Domain | secure.ratoscbom.com:8041 |
| URL | hxxps://odertaoa[.]s3.us-east-1.amazonaws.com/ssa/US/index.html |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
