Spam Emails Trick Companies Into Installing Malware

The Hacker News reports on a social engineering campaign that inundates companies with spam emails. The impacted users receive follow-up phone calls from threat actors who masquerade as the company’s IT team and trick them into installing software under the pretense of resolving the spam emails.

No ransom threats have been issued so far, according to the cybersecurity team that discovered the scam. The goal appears to be follow-on exploitation. 

The phony IT person prompts impacted users to download remote monitoring and management software, i.e. AnyDesk, or to use Microsoft’s Quick Assist feature. Either choice establishes a remote connection. A remote access trojan called NetSupport RAT has also been deployed. NetSupport RAT has been used as part of a “malvertising campaign” (the use of online advertising to spread malware).

The campaign began in late April 2024. Millions of spam emails have been sent. They are usually sign-up confirmation messages from legitimate newsletters that fool email protection solutions.

The cybersecurity firm that discovered the campaign observed an unsuccessful attempt to deploy Cobalt Strike beacons to assets within the compromised network. That strategy overlaps with previously identified attack indicators associated with the Black Basta ransomware gang.

The U.S.-based cybersecurity firm Proofpoint recently revealed details of another email scam. This one is a ransomware campaign by the LockBit Black gang that delivers the payload using the Phorpiex botnet as a conduit.

“The LockBit Black builder has provided threat actors with access to proprietary and sophisticated ransomware,” Proofpoint researchers said. “The combination of this with the longstanding Phorpiex botnet amplifies the scale of such threat campaigns and increases chances of successful ransomware attacks.”