Contents:
“Multiple intrusion attempts” have been connected to an ongoing social engineering campaign purportedly tied to the Black Basta ransomware group, which aims to steal credentials and install a malware dropper named SystemBC.
What Do We Know About the Operation?
According to cybersecurity professionals, the approach is nothing out of the ordinary, following the usual pattern of a social engineering attack, an email bomb followed by an attempt to call the victim and offer a fake solution.
Subsequently, the attack chain persuades the user to download and install AnyDesk, a genuine remote access program that serves as a conduit for the delivery of additional payloads and the exfiltration of private information.
This involves using an application called “AntiSpam.exe” that requests users to provide their Windows login information to finish the update and claims to download email spam filters.
After that, a number of programs, DLL files, and PowerShell scripts are run. These include a SOCKS proxy, SystemBC, and an HTTP beacon built in Golang that connects to a distant server.
It is recommended that all unauthorized remote desktop solutions be banned and that shady calls and messages claiming to be from inside IT professionals be kept out in order to reduce the risk posed by the attack.
The discovery coincides with the emergence of SocGholish (also known as FakeUpdates), GootLoader, and Raspberry Robin as the most often detected loader strains in 2024. These strains serve as stepping stones for ransomware.
These loaders are often offered through subscription models, with monthly fees granting access to regular updates, support, and new features. An advantage offered by this subscription model is that it allows even threat actors with limited technical expertise to mount sophisticated attacks.
If you liked this piece, you can find more on the blog. Follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.