EXECUTIVE SUMMARY
The Quarry campaign is operated by a single developer known as RockyBelling, who offers a Phishing‐as‐Service toolkit to nearly two hundred affiliates. The service distributes spoofed communications that impersonate the Internal Revenue Service, the Social Security Administration, and popular SaaS platforms such as DocuSign and Adobe.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The Quarry campaign is operated by a single developer known as RockyBelling, who offers a Phishing‐as‐Service toolkit to nearly two hundred affiliates. The service distributes spoofed communications that impersonate the Internal Revenue Service, the Social Security Administration, and popular SaaS platforms such as DocuSign and Adobe.[emaillocker id="1283"]
Primary victims reside in the United States, though activity has been observed across multiple countries. Affiliates use the kit to harvest credentials and harvest tax‐related documents, with the ultimate objective of data theft and potential resale to ransomware groups.
The infection chain begins with bulk‐mail campaigns that embed a malicious link or a VBS attachment designed to bypass User Account Control. Recipients who follow the lure are redirected through a cloaking service that filters out automated scanners before a Windows MSI installer—packaged as a legitimate remote‐management tool—is delivered. Once executed, the installer registers a remote‐administration panel that provides persistent remote access, enabling the operator to run scripts for credential harvesting, browser‐history extraction, and W‐2 file discovery. Exfiltrated data is funneled to a Telegram bot controlled by the affiliate.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| Command and Control | T1102 | Web Service | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
reports contain further technical details:
https://cybersecuritynews.com/hackers-abuse-legitimate-rmm-tools/
https://socradar.io/blog/the-quarry-phaas-irs-ssa-phishing/