Cybersecurity researchers have identified a sophisticated social engineering campaign aimed at enterprises, designed to infiltrate their systems through a combination of spam emails and manipulative phone calls.
The campaign, which began in late April 2024, involves mass-sending spam emails, primarily consisting of seemingly innocuous newsletter sign-up confirmation messages from legitimate organizations. This tactic is aimed at overwhelming email protection systems, making it easier for the threat actors to breach the target environment.
After the initial stage, the threat actors escalate their attack by directly contacting affected users via phone calls, masquerading as IT personnel from the victims' organizations. The attackers attempt to trick the users into downloading remote monitoring and management software such as AnyDesk or leveraging Microsoft's Quick Assist feature to establish remote connections.
Upon gaining access to a user's system, the threat actors deploy a series of batch scripts, disguised as updates, to execute their malicious activities. These scripts establish persistence in the Windows registry and attempt to establish reverse shell connections to command-and-control (C2) servers, facilitating remote access to compromised assets.
Once compromising the network, the attackers proceed to harvest credentials and maintain persistence in the victim environment. In some instances, according to Rapid7 findings, the attackers have attempted to deploy additional tools, including remote access trojans (RATs) like NetSupport, and to move laterally using SMB protocols. Of particular note is the threat actor's use of DLL side-loading techniques to deploy Cobalt Strike beacons.
Rapid7 researchers said that they have not observed successful data exfiltration or ransomware deployment in any of the investigated incidents. However, the indicators of compromise uncovered during forensic analysis suggest potential links to the Black Basta ransomware group.
Last week, the US security authorities released an advisory highlighting the Tactics, Techniques, and Procedures (TTPs) employed by Black Basta, along with Indicators of Compromise (IoCs).