So thought I would write a quick article on a typical scam that's been going around forever in various forms. This is where a user gets an email with a call to action saying "this has expired" or "problem with your account" etc. then to call this said number for support. How anybody falls for this these days is beyond me, but this was a friend of a family member, older, and not very good with computers, so there is that.
So I get a call, so and so fell for this scam where a scammer got into their computer remotely after this person called the number in the scam email and directing them to download remote support software. So being the nice guy I am, I said what is their number, I'll give them a call and check it out.
So I call them up, and try to get a little background information on what happened. They couldn't really tell me much, not even the site they were directed to. Goes to show you in the heat of the moment, many people don't think and just act. Which is exactly what they want you to do. Luckily they knew enough during the initial control session something didn't smell right, and turned the computer off. So I told them, don't turn it on or do anything till I get there.
So I arrive, and ask some questions, and there wasn't really much they could tell me, so I unplugged the network connection and booted the computer up. I asked them what time and day this happened, and then proceeded to look through their browser history. Around the time they fell for the scam, I found history relating to a site where a remote access program called "Supremo" was downloaded and installed. Apparently, its some software from a company in Italy. You know being the scammers are halfway around the world in most cases, gotta try and support your local vendors apparently. lol
Now before I get into more details, normally if you don't know what your doing or have zero experience with cyber related stuff, I would always advise backing up your data and wiping the PC. In this case, being they caught it right away, and the computer had a ton of apps and customization. I decided to dig through stuff and see what I can find before making that determination.
After looking through the typical Registry keys where typically "persistence" is setup through run keys, you know the \currentversion\run , runonce, and shell keys. I immediately found a ton of stuff referencing supremo.exe, yup right in the users download folder, and a few other locations, typically the Appdata or browser TMP/Cache file locations. Now, these scams typically make an initial connection with one tool, and then install other remote tools or malware for "redundancy" in case the user finds or tries to clean/delete the initial tool.
After looking through different areas of the registry, it became apparent, this is what they did, and installed screen connect a legit tool used in our industry, and this was the primary tool they were attempting to use based on logs etc. The registry entries pointed to screenconnect services that were setup and running, and things just snowballed from there. Now, to the user's credit, he did try to look through the program and apps list in windows to find obvious tools that did not belong, yet neither of these tools showed. Well, you don't think these scammers are that stupid do ya? :)
So to make a long story short, cleaning all the keys, deleting the services, and all the referenced directories where the executable and service DLL's resided. Then running followup malware scans using multiple tools and checking processes and what they belonged to. Now was the final test, plug in the network cable, reboot and then monitor processes and things using sysinternals and other commands like netstat to determine if anything was missed. After watching for 20-30 min and now was not showing the same processes and ports being used to phone home, the system was deemed clean. Just for some added assurance, I loaded our Wazuh agent on the machine to keep tabs on file integrity, and suspicious processes and behavior for good measure.
Now again, if you do not have experience hunting and tracing these things in the registry and using powerful tools and commands to find and monitor these rouge processes, ports being used by the app etc. I highly advise you format the machine after backing up data and reloading the OS. It's not worth it if you miss something. Some takeaways from this typical scam and experience.
Get the best phishing and spam filters you can that is available. As 90% of all attacks, even these phone scams start with an email. If the scam email never reaches the inbox, it can't temp a user to act before realizing its a scam.
Second, because these scammers are using LEGIT remote access tools in alot of cases, your anti-virus or endpoint protection will not detect them as malicious. Now this was a home user, and had full admin access to the machine. In an enterprise environment, a user not having local admin access would of helped stop the software from being installed in the first place.
Lastly, as most already know, having just endpoint protection alone on the device is not enough. You need an additional extended protection layer ie. EDR/XDR to look at the behavior of processes and files spawning those processes in the background, especially keeping track of these persistent run keys. Again, in this case most home user environments do not have this level of protection and monitoring, so these types of users are already at a disadvantage in many ways.
To end, a little common sense goes a long way. I always tell people home users or business users. Never respond to any unsolicited emails or calls even if they remotely seem legit. The more there is a call to action involving fear if you do not act, then the more likely its a scam. Most legit organizations, banks, microsoft, you name it, almost never contact a person out of the blue unsolicited. Notice the word solicited, if you contact them, and are working on something, and there is followup communication from them. That is a different scenario but regardless utmost care and scrutiny should always be used in this day in age where cyber crime and scams are at record highs.