Analysis Summary

Multiple infiltration attempts have been connected to an ongoing social engineering campaign purportedly affiliated with the Black Basta ransomware gang. The campaign's objectives are credential theft and the deployment of a malware dropper known as SystemBC.

Cybersecurity researchers said, “The initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted users and offer a fake solution.”

Subsequently, the attack chain persuades the user to download and install AnyDesk, a genuine remote access program that serves as a conduit for the delivery of additional payloads and the exfiltration of private information. This involves the use of an application called "AntiSpam.exe" that requests users to provide their Windows login information to finish the update and claims to download email spam filters.

After that, several programs, DLL files, and PowerShell scripts are run. These include a SOCKS proxy, SystemBC, and an HTTP beacon built in Golang that connects to a distant server. It is recommended to ban all unauthorized remote desktop solutions and keep an eye out for shady calls and messages claiming to be from inside IT professionals to reduce the risk posed by the attack.

The revelation coincides with the discovery that the most often detected loader strains in 2024 are SocGholish (also known as FakeUpdates), GootLoader, and Raspberry Robin. These strains serve as stepping stones for ransomware. This year, GootLoader has entered the top three rankings, taking QakBot's place as its activity decreases.

On forums frequented by cybercriminals on the dark web, malware loaders are often promoted to those who wish to help with network attacks and payload delivery. These loaders are frequently made available through subscription plans, where monthly payments provide access to new capabilities meant to avoid detection as well as regular upgrades and support. This subscription-based strategy has the benefit of enabling even non-technical threat actors to launch highly skilled attacks.

As part of a multi-layered distribution mechanism, phishing attempts have also been reported to distribute the information stealer malware known as 0bj3ctivity Stealer using another loader named Ande Loader. The malware's ability to spread via memory injection techniques, obfuscated and encrypted scripts, and continual Ande Loader feature enhancements including string obfuscation and anti-debugging highlight the need for sophisticated detection methods and ongoing study.

Threat actors are increasingly using phony QR codes as weapons for malevolent intent, and these operations are only the most recent in a slew of phishing and social engineering attempts that have been discovered in recent weeks. The use of social media users as targets for malicious activity emphasizes how crucial it is to have strong security measures in place to safeguard account credentials and stop unwanted access.

Impact

• Credential Theft
• Financial Loss
• Data Exfiltration
• Unauthorized Remote Access

Indicators of Compromise

Domain Name

• spamicrosoft.com
• halagifts.com
• preservedmoment.com

IP

• 37.221.126.202
• 91.196.70.160
• 217.15.175.191
• 45.155.249.97

MD5

• eb1400542b407b1974ab4186002c684a
• 274aa269014aea969b8c8cf1ab317eab
• 59864c73bfe1d42f49132d5c974f79e6
• 346ef4e723d75587ab860750cc940277
• 623c11f1cc569ccfd93108ebf4133413
• 2f0416991aadc4a517643ef6a04dea05
• 531341bca3483ea43e5a5afd3ee2f328
• a23072d8591461ec3683153db8b1163e

SHA-256

• ed062c189419bca7d8c816bcdb1a150c7ca7dd1ad6e30e1f46fae0c10ab062ef
• d512bf205fb9d1c429a7f11f3b720c74680ea88b62dda83372be8f0de1073a08
• dc5c9310a2e6297caa4304002cdfb6fbf7d6384ddbd58574f77a411f936fab0b
• 24b6ddd3028c28d0a13da0354333d19cbc8fd12d4351f083c8cb3a93ec3ae793
• 9c1e0c8c5b9b9fe9d0aa533fb7d9d1b57db98fd70c4f66a26a3ed9e06ac132a7
• ac22ab152ed2e4e7b4cd1fc3025b58cbcd8d3d3ae3dbc447223dd4eabb17c45c
• ab1f101f6cd7c0cffc65df720b92bc8272f82a1e13f207dff21caaff7675029f
• ab3daec39332ddeeba64a2f1916e6336a36ffcc751554954511121bd699b0caa

SHA-1

• a27159c64d22a2334bbdd2a0fde75a2aa6eddadb
• a5d9195036b5f41d82ff04ad64644abdcf4e011c
• 8dd6b3aee4b01f3ce30e6be043d70ec55b7361de
• d7f507bf5b76f0e81215c7ba3f75e6c68bf8b9d5
• 16b9fa77c4f84ec4db8016e71a0c3872a7386691
• e9d5f60cee1f3aeeaa965f75b05839fc98967415
• 2279a3a72ee35340b443c55ce2df7090dd6efe60
• 23b4437dcdc8f0cc50ead5a90e4ca9c052426585

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly update all software and systems to ensure vulnerabilities are patched promptly.
• Implement robust email filtering to block phishing attempts that may deliver initial infection loaders.
• Utilize advanced endpoint detection and response (EDR) tools to identify and block suspicious activities.
• Conduct regular security audits and vulnerability assessments to identify and mitigate potential security gaps.
• Employ least privilege principles, ensuring users and applications have the minimum necessary access rights.
• Enable multi-factor authentication (MFA) to add a layer of security to user accounts.
• Monitor network traffic for unusual activities that could indicate the presence of malware or unauthorized access.
• Educate employees on recognizing phishing emails and safe online practices to reduce the risk of initial infection.
• Establish and test incident response plans to ensure rapid containment and recovery in the event of ransomware.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.