Rapid7 said it also detected attempts made by the ransomware crew to leverage the OpenSSH client to establish a reverse shell, as well as send a malicious QR code to the victim user via the chats to likely steal their credentials under the pretext of adding a trusted mobile device.
Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user's email to numerous mailing lists simultaneously, Rapid7 said. After the email bomb, the threat actor will reach out to the impacted users.
In some instances, they have also been observed impersonating IT staff members within the targeted organization, making initial contact with prospective targets on Microsoft Teams, pretending to be support personnel or IT staff of the organization.
The remote access facilitated by the installation of AnyDesk (or its equivalent) is then used to deliver additional payloads to the compromised host, including a custom credential harvesting program followed by the execution of Zbot (aka ZLoader) or DarkGate.
Collection
[
|
...
]