Solutions
By Platform
DarkArmor

Enterprise-level Prebreach Technology

PreBreach Identity Guard

Advanced Identity Protection

By Industry
Retail

Customer, supply chain, and vendor access protection

Education

Protect staff and student credentials, brand, and reputation

Finance

Comprehensive monitoring for the data types most relevant to fintech

Government

Security and protection for government and infrastructure

All Solutions
Why Us
About Us
Blog
Contact

Hacker Exploits Social Security Statement Theme to Target Over 2,000 Victims with Malware

Written by
Nguyen Nguyen

Phishing Technique

The cybercriminals sent emails to targets containing a URL that directed them to a phishing page hosted on Amazon Web Services (AmazonAWS). This hosting choice was likely intended to lend legitimacy, as many users inherently trust the Amazon brand.  Figure 2 shows the phish webpage.

hxxps://odertaoa[.]s3.us-east-1.amazonaws.com/ssa/US/index.html

Once the user clicked on ‘Access The Statement,’ the phishing page redirected to a second page with instructions for downloading the file. After the download, the page displayed further instructions on how to execute the file, as shown in Figure 3.

Malware File Overview

The malware has the following properties:

Filename: US_SocialStatmet_ID544124.exe
MD5: bc219ea52e5d250b689bfb0203eb9e4e
SHA1: 97997862c73cfe301af43c355ffa4b2d8b1e7d7f
SHA256: 1c939551452b2137b2bd727f13fab80da192f174d0311d23fc3c1c531cefdc87

Malware Behavior

The malware is a .NET application loader. Upon execution, it loads and runs a .NET application embedded in its resources. The loader executes two main components: the first is a .NET resolver responsible for loading additional files stored in the ‘FILES’ folder—these are necessary to run the ScreenConnect software. Once the dependencies are loaded, the loader executes the ‘ENTRYPOINT’ file, which functions as the primary backdoor. This component retrieves the command-and-control (C2) address embedded within the loader and launches ScreenConnect to establish a silent connection to the cybercriminal’s server. Figure 4 shows the resource files embedded within the loader.

The configuration below represents the C2 settings embedded within the loader file.

Scope of Impact

CyberArmor’s telemetry confirms that over 2,000 users interacted with the phishing lure, and a significant percentage installed the malware unknowingly.

Recommendations

Indicators of Compromise

SHA256: 1c939551452b2137b2bd727f13fab80da192f174d0311d23fc3c1c531cefdc87
Domain: secure.ratoscbom.com:8041
URL: https:// odertaoa[.]s3.us-east-1.amazonaws.com/ssa/US/index.html

CyberArmor continues to monitor this campaign and related infrastructure. Organizations are advised to alert their users, especially those in finance and healthcare sectors, to remain vigilant.

Nguyen Nguyen
About the Author

Nguyen Nguyen

LinkedIn Profile
Share
Share on LinkedIn

Read More...

Device Authentication Phishing: Account Takeover via Microsoft Device Code Flow
Nguyen Nguyen
Device Authentication Phishing: Account Takeover via Microsoft Device Code Flow

How attackers exploit Microsoft device code flow to bypass MFA and gain persistent account access

Autumn Dragon: China-nexus APT Group Targets South East Asia
Nguyen Nguyen
Autumn Dragon: China-nexus APT Group Targets South East Asia

Nguyen Nguyen
Uncovered: How Cybercriminals Scam Each Other Using Fake USDT Sender Software