""In this case, a customized SimpleHelp and ScreenConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim.""
""The deployment of both SimpleHelp and ScreenConnect indicates an attempt to create a 'redundant dual-channel access architecture' that enables continued operations even when either of them is detected and blocked.""
""The 'SSA statement' is then downloaded from a second attacker-controlled domain, an executable that's responsible for delivering the SimpleHelp RMM tool.""
The phishing campaign, codenamed VENOMOUS#HELPER, has affected more than 80 organizations, primarily in the U.S. It utilizes legitimate Remote Monitoring and Management software to maintain remote access. The campaign begins with a phishing email impersonating the U.S. Social Security Administration, leading victims to download a malicious executable. This executable installs the SimpleHelp RMM tool, allowing attackers to bypass defenses. The use of both SimpleHelp and ScreenConnect RMMs suggests a strategy for redundant access, ensuring continued operations even if one method is detected.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]