Ongoing Social Engineering Campaign Refreshes Payloads

SUMMARY :

Rapid7 observed a shift in tools utilized by threat actors in an ongoing social engineering campaign. The initial lure involves an email bombing followed by calls to users offering fake solutions. Once connected remotely, threat actors deploy payloads for credential harvesting, establishing command and control, and lateral movement. Notable changes include the use of AntiSpam.exe for credential harvesting and various executables and PowerShell scripts serving as droppers, beacons, and socks proxies. The campaign also attempts to exploit CVE-2022-26923 for privilege escalation.

OPENCTI LABELS :

phishing,social_engineering,remote_access,update7.exe,credential_access,update4.exe,update8.exe,update6.exe,update7.ps1,update3.exe,update2.dll,update5.dll,lateral_movement,update1.exe,antispam.exe,cve-2022-26923


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Ongoing Social Engineering Campaign Refreshes Payloads