This threat describes a sophisticated phishing campaign targeting over 2,000 individuals by exploiting the theme of official Social Security statements. Attackers crafted convincing phishing emails that mimic legitimate communications from the Social Security Administration, increasing the likelihood of user trust and engagement. The phishing lure directs victims to a malicious URL hosted on Amazon Web Services (AWS), leveraging the reputation and legitimacy of AWS infrastructure to evade suspicion and security controls. Once on the phishing page, users are tricked into downloading and executing a .NET application loader malware. This loader installs ScreenConnect, a legitimate remote access tool, which the attackers abuse to establish a silent, persistent connection to their command-and-control (C2) server. The malware’s behavior includes loading additional malicious files and executing a primary backdoor component, enabling attackers to maintain remote access, execute commands, and potentially move laterally within compromised networks. The campaign uses multiple advanced techniques such as obfuscation (T1027), command and scripting interpreter usage (T1059.001), and remote file copy (T1105), alongside social engineering (T1566) and signed binary proxy execution (T1219). The use of a legitimate remote access tool like ScreenConnect complicates detection and response efforts, as it blends malicious activity with legitimate software behavior. The campaign’s impact is significant due to the high number of victims and the stealthy nature of the malware, which can lead to data exfiltration, espionage, or further malware deployment. No specific CVEs or affected software versions are identified, and no known threat actors are attributed to this campaign at this time.

For European organizations, this campaign poses a substantial risk primarily through social engineering targeting employees or individuals who might receive phishing emails referencing social security or similar government benefits. Although the Social Security Administration is a U.S. entity, European users might be targeted via similar themed phishing lures adapted to local social welfare or tax authorities. Successful compromise could lead to unauthorized remote access via ScreenConnect, enabling attackers to steal sensitive data, deploy ransomware, or conduct espionage. The use of AWS-hosted phishing infrastructure may bypass some network security controls, increasing infection likelihood. The stealthy nature of the .NET loader and backdoor complicates detection, potentially allowing prolonged attacker presence. This could impact confidentiality, integrity, and availability of organizational data and systems. Additionally, the campaign’s scale and use of legitimate remote access tools increase the risk of widespread compromise if phishing emails are distributed broadly within European organizations. The campaign also highlights the ongoing threat of phishing and the need for robust user awareness and endpoint security measures.

1. Implement advanced email filtering solutions that can detect and block phishing emails, especially those impersonating government agencies or containing links to cloud-hosted phishing pages. 2. Employ domain and URL reputation services to identify and block access to malicious domains such as 'secure.ratoscbom.com' and other known phishing infrastructure. 3. Enforce strict application whitelisting and endpoint protection to prevent execution of unauthorized .NET loaders and suspicious binaries. 4. Monitor for unusual use of legitimate remote access tools like ScreenConnect, including unexpected installations or connections outside normal business hours. 5. Conduct targeted user training focused on recognizing phishing attempts that impersonate government or social welfare communications, emphasizing verification of sender authenticity and cautious handling of unsolicited attachments or downloads. 6. Utilize network segmentation and least privilege principles to limit the potential lateral movement of attackers if initial compromise occurs. 7. Deploy endpoint detection and response (EDR) solutions capable of detecting obfuscated code execution, command interpreter abuse, and anomalous network connections to C2 servers. 8. Regularly update and patch systems to reduce the attack surface, even though no specific CVEs are identified here, to maintain overall security hygiene. 9. Establish incident response playbooks for phishing and remote access tool abuse scenarios to enable rapid containment and remediation.