EXECUTIVE SUMMARY:
A phishing campaign has been identified that leverages the guise of official Social Security Administration (SSA) communications to deceive victims. Over 2,000 individuals were targeted through a convincing email lure that mimicked legitimate SSA correspondence. Recipients were directed to a phishing site crafted to resemble an official government portal, increasing the likelihood of user interaction. The objective of the campaign was to trick users into downloading and executing a malicious file under the pretense of accessing their Social Security statement.
The phishing webpage prompted users to click on an ‘Access The Statement’ button, which redirected them to a follow-up page with instructions to download a malicious file. This malware is a .NET application loader that, once executed, extracts and runs a .NET application embedded within its resources. The loader performs two main tasks: first, it runs a .NET resolver that loads several auxiliary files located in a ‘FILES’ folder, required for launching ScreenConnect software. After loading these dependencies, the loader executes the ‘ENTRYPOINT’ backdoor component. This backdoor contains an embedded command-and-control (C2) address and silently establishes a remote connection to the attacker’s server via ScreenConnect, enabling ongoing unauthorized access.
This campaign demonstrates the ongoing trend of using highly credible phishing themes combined with trusted hosting platforms to deploy malware loaders. The use of .NET loaders embedding remote access tools such as ScreenConnect highlights the attackers’ capability to maintain persistent and stealthy access to victim systems. Organizations and individuals should remain vigilant against phishing attempts disguised as official government communications and implement robust defenses to detect and block such threats.
EXECUTIVE SUMMARY
A phishing campaign has been identified that leverages the guise of official Social Security Administration (SSA) communications to deceive victims. Over 2,000 individuals were targeted through a convincing email lure that mimicked legitimate SSA correspondence. Recipients were directed to a phishing site crafted to resemble an official government portal, increasing the likelihood of user interaction. The objective of the campaign was to trick users into downloading and executing a malicious file under the pretense of accessing their Social Security statement.
The phishing webpage prompted users to click on an ‘Access The Statement’ button, which redirected them to a follow-up page with instructions to download a malicious file. This malware is a .NET application loader that, once executed, extracts and runs a .NET application embedded within its resources. The loader performs two main tasks: first, it runs a .NET resolver that loads several auxiliary files located in a ‘FILES’ folder, required for launching ScreenConnect software. After loading these dependencies, the loader executes the ‘ENTRYPOINT’ backdoor component. This backdoor contains an embedded command-and-control (C2) address and silently establishes a remote connection to the attacker’s server via ScreenConnect, enabling ongoing unauthorized access.
This campaign demonstrates the ongoing trend of using highly credible phishing themes combined with trusted hosting platforms to deploy malware loaders. The use of .NET loaders embedding remote access tools such as ScreenConnect highlights the attackers’ capability to maintain persistent and stealthy access to victim systems. Organizations and individuals should remain vigilant against phishing attempts disguised as official government communications and implement robust defenses to detect and block such threats.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204.002 | User Execution | Malicious File |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Discovery | T1082 | System Information Discovery | - |
| Collection | T1113 | Screen Capture | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The following reports contain further technical details: