Beware: Social Security email can hide dangerous malware
- Cofense Security Researchers Discover Multiple Phishing Emails Impersonating U.S. Social Security Administration
- The goal was to deploy the ConnectWise Remote Access Trojan
- Email frequency increased in the days leading up to the 2024 US presidential election
Cybercriminals are impersonating the US Social Security Administration in an attempt to install a Remote Access Trojan (RAT) malware on people’s devices, experts warn.
Cybersecurity researchers at Cofense observed a phishing campaign that slowly took off in the days and weeks leading up to the 2024 U.S. presidential election.
The aim of the campaign was to distribute the ConnectWise RAT – an infected and malicious use of otherwise legitimate software called ConnectWise Control (formerly ScreenConnect).
ConnectWise RAT
In depth analysisCofense said it had observed multiple variations of the same phishing campaign, in which the crooks would spoof Social Security records and claim to provide an updated benefits statement. Usually the false statement came in the form of a mismatched link (a link that doesn’t lead where it says it will lead). Sometimes the threat actors tried to hide the link behind a “View Statement” button.
The campaign most likely began in or around mid-September 2024, when it was first observed by Cofense. The second sample arrived a month later, after which the frequency was gradually increased until mid-November.
“While additional emails were received in late November, this campaign reached peak volume on November 11 and 12, a week after Election Day,” Cofense concluded.
ConnectWise Control is a legitimate remote desktop and support tool, but in this scenario it is used to gain unauthorized access to victims’ devices. Cybercriminals abuse the legitimate capabilities of the software by using it covertly and often combining it with malware or phishing programs. Once installed, threat actors can remotely control systems, steal sensitive data, deploy additional malware, and monitor the victim’s computer activity.
Legitimate software is often used for malicious purposes because endpoint security and malware removal services often fail to recognize it as a threat.