CyberArmor analysts has brought to light a weaponized phishing campaign that leveraged the appearance of official Social Security Administration (SSA) communication to deceive over 2,000 individuals into downloading malware.
The campaign’s success hinged on a highly convincing social engineering strategy, which integrated both a well-crafted email lure and a phishing website hosted on Amazon Web Services (AWS), a choice likely intended to exploit users’ inherent trust in Amazon’s infrastructure.
The attack began with emails inviting recipients to review their Social Security statements via a web link.
The provided URL pointed to an AWS S3 bucket mimicking the look and feel of the genuine SSA portal.
Upon clicking “Access The Statement,” victims were redirected to a secondary page, which presented download instructions for a malicious executable file under the guise of an official document.
Further on-page directions coached users through the process of executing the file, maximizing infection rates among unsuspecting targets.
Technical Analysis Reveals Multi-Stage Loader
In-depth analysis of the malware, named US_SocialStatmet_ID544124.exe, revealed a sophisticated .NET application loader bundled with several embedded resources.
The loader’s primary function is to extract and run a secondary .NET “resolver” component, responsible for assembling additional dependencies from a bundled ‘FILES’ folder.
This stage prepares the environment to execute a legitimate remote administration tool, ScreenConnect, via a designated ‘ENTRYPOINT’ module.
Crucially, the loader initiates a covert connection to a hardcoded command-and-control (C2) server, secure.ratoscbom.com on port 8041, by launching the ScreenConnect client with custom parameters supplied in its embedded configuration.
This surreptitious connection effectively hands remote access of the infected endpoint to the malicious operator, enabling a wide array of post-compromise activities ranging from data exfiltration to persistent surveillance.
CyberArmor’s telemetry confirms that out of the thousands who interacted with the phishing lure, a significant proportion executed the payload and thus unknowingly compromised their devices.
Such widespread success in a single campaign underscores the ongoing threat posed by socially engineered attacks that convincingly emulate government correspondence.
Industry Impact
The impact of this campaign has been especially acute in sectors where trust in government communication is high, such as finance and healthcare.
Organizations are urged to reinforce security awareness among staff and stakeholders, emphasizing best practices such as verifying all Social Security-related communications directly through the official ssa.gov portal and never downloading attachments or files from unsolicited emails.
To further safeguard against future incidents, CyberArmor recommends the deployment of advanced endpoint protection with real-time detection of unauthorized remote desktop software, as well as proactive monitoring of network traffic for anomalous ScreenConnect connections to unknown or suspicious IP addresses.
Regular user training on identifying phishing attempts, particularly those that mimic government or regulatory bodies, remains a critical component of a robust security posture.
CyberArmor continues to monitor the infrastructure underpinning this campaign and advises organizations to alert users, especially those in high-risk verticals, to remain vigilant against evolving phishing threats.
Indicators of Compromise (IOC)
| Type | Value |
|---|---|
| SHA256 | 1c939551452b2137b2bd727f13fab80da192f174d0311d23fc3c1c531cefdc87 |
| Domain | secure.ratoscbom.com:8041 |
| URL | https://odertaoa[.]s3.us-east-1.amazonaws.com/ssa/US/index.html |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
