Persistent Social Engineering Campaign Floods Inboxes, Tricking Users with Phony Support Calls

An extensive social engineering campaign that combines overwhelming spam emails with deceptive phone calls to target users has been identified, with ties to the Black Basta ransomware group. Uncovered by Rapid7 researchers, this campaign is designed to deceive and confuse users. It begins with the mass distribution of spam emails, which often bypass email protection systems due to their volume and apparent legitimacy. These emails, while not malicious in themselves, serve as a precursor to the next stage of the attack. "With the emails sent, and the impacted users struggling to handle the volume of the spam, the threat actor then began to cycle through calling impacted users posing as a member of their organization’s IT team reaching out to offer support for their email issues," the researchers report. Impacted users receive phone calls from individuals posing as IT support team members, who then persuade them to grant remote access to their computers through legitimate tools like AnyDesk or Microsoft's Quick Assist. This method allows the attackers to move quickly from one target to the next if initial attempts fail, showcasing their persistent and adaptive nature in seeking vulnerable entry points into networks.

Once remote access is achieved, the attackers execute a series of batch scripts, masquerading these actions as routine updates to avoid raising suspicion. These scripts first ensure connectivity to a command and control (C2) server before downloading a zip file containing a legitimate copy of OpenSSH, renamed to appear innocuous, alongside various dependencies and configuration files. This setup allows the attackers to establish a secure connection to their infrastructure using SSH, initiated through PowerShell. The scripts also modify Windows registry run keys to ensure persistence, pointing to additional scripts that maintain a reverse shell connection to the C2 server. Rapid7 observed variations in these scripts, with some using additional remote management tools like NetSupport and ScreenConnect to further entrench the attackers within the compromised systems.

The credential harvesting process exploits the guise of an update, luring users to willingly submit their credentials when prompted. Attackers use PowerShell to extract these credentials, which are then exfiltrated using the Secure Copy (SCP) command directly to the attackers' server. In other instances, credentials are stored locally in an archive for later retrieval. This phase highlights the attackers' focus on maintaining access and gathering as much sensitive information as possible from their victims.

In more severe cases, the attackers' post-compromise activities expand to attempts to move laterally within the network using tools like SMB, Impacket, and Cobalt Strike. However, Rapid7 observed instances where the deployment of Cobalt Strike was unsuccessful. Rapid7 reports, "the indicators of compromise found via forensic analysis conducted by Rapid7 are consistent with the Black Basta ransomware group based on internal and open-source intelligence." By detailing these incidents, the tools used, and the sequence of the attack, the intelligence provided by Rapid7 aids defenders in identifying applicable detections to monitor and deploy in their environments to safeguard against active threats.