The Social Security Administration-spoofing campaign distributing ConnectWise RAT has evolved, where attackers employ advanced email spoofing, evasion tactics, and credential phishing to compromise victims.
The campaign, which intensified before the 2024 US election, continues to pose a significant threat, exploiting the political climate for malicious purposes. The email contains a deceptive hyperlink, often disguised as a “View Statement” button, that downloads a ConnectWise Remote Access Trojan (RAT) installer.
The attack utilizes various infrastructure methods, including ConnectWise servers, dynamic DNS, and threat actor-controlled domains, to establish command-and-control channels.
Researchers detected a Social Security Administration phishing campaign in September 2024. Initially sporadic, it escalated significantly in mid-November, peaking a week after the US election, suggesting potential exploitation of heightened public interest or anxiety surrounding the election.
Early email campaigns employed rudimentary and unsophisticated techniques. However, continuous refinement has led to the development of increasingly deceptive tactics, enhancing their ability to evade detection and manipulate recipients.
Threat actors leverage brand spoofing techniques by employing legitimate-looking brand assets, such as the Social Security Administration logo, within emails, which often contain mismatched links are designed to mimic official government websites, thereby deceiving recipients into clicking on malicious links and potentially compromising their systems.
According to Cofense, it makes use of browser cookies in order to keep track of previous visits, which is why the embedded link payload initially redirects to a ConnectWise RAT payload.
Subsequent attempts by the same user lead to a legitimate Social Security Administration website, potentially evading detection and increasing the likelihood of successful exploitation.
Credential phishing forms maliciously solicit sensitive personal information such as full names, contact details, social security numbers, dates of birth, financial account details, and security codes from unsuspecting individuals via deceptive means, aiming to compromise their online identities and financial security.
Threat actors request sensitive personal information like the mother’s maiden name and phone carrier PINs to facilitate account takeovers, which are often used as security questions or for MFA bypass, enabling attackers to gain unauthorized access to online accounts and potentially commit identity fraud.
