Scams & Phishing News New phishing scam uses legit software to hijack computers, but the real story is even wilder

Parkinsond

Parkinsond

Level 62
Thread author
Verified
Well-known
Dec 6, 2023
5,187
14,807
6,069
Content source
https://www.neowin.net/news/new-phishing-scam-uses-legit-software-to-hijack-computers-but-the-real-story-is-even-wilder/
It all starts with emails containing fake meeting invites, PDF documents, and other malicious links. When a targeted user clicks a link to update a familiar app like Microsoft Teams, Zoom, Google Meet, or Adobe Reader, they are actually downloading malware on their computer.

But here’s the thing: Microsoft found that the malicious files were digitally signed using an abused Extended Validation (EV) certificate issued to a company called TrustConnect Software PTY LTD.

Now, EV certificates aren't easy to get, as they require strict identity verification by the Certificate Authority. As ESET Distinguished Researcher Aryeh Goretsky pointed out in the comments, an EV certificate doesn't automatically prevent antivirus software from scanning a file, but it does assign it a higher reputational score. Proofpoint's report adds that "when used by threat actors, they can help criminals evade signature-based detections."

Threat researchers at Proofpoint discovered last month that the hackers did not steal the certificate. They actually created a shell company, “TrustConnect Software PTY LTD” and crafted an entire fake business identity. They used AI to generate a highly convincing corporate website and injected it with fabricated customer statistics and reviews. Under the disguise of a legitimate startup, TrustConnect then legally bought an EV certificate. Someone at the Certificate Authority actually reviewed and approved the purchase.

With a highly trusted EV certificate in their possession, TrustConnect didn’t just plan to launch its own attacks. Instead, it turned its fake website into a lucrative storefront for renting out its malware to other attackers. TrustConnect essentially created, as Proofpoint calls it, a Malware-as-a-Service (MaaS) operation, charging a flat rate of $300 a month in cryptocurrency for access to the digitally signed payloads and command infrastructure. The attackers followed that age-old advice and sold shovels during a gold rush.

Click to expand...
 
  • Like
  • Wow
Reactions: Brownie2019, Zartarra, harlan4096 and 8 others
We discussed it here too:

Khushal

Malware News Thread 'We live in a world where threat actors can sign their malware so it looks just like the official Zoom installer How can this be real?'

www.proofpoint.com

(Don't) TrustConnect: It's a RAT in an RMM hat | Proofpoint US

Key findings Proofpoint observed a new malware-as-a-service (MaaS) masquerading as a legitimate remote monitoring and management (RMM) tool. It calls itself TrustConnect.
www.proofpoint.com www.proofpoint.com

(Don't) TrustConnect: It's a RAT in an RMM hat​


1771572628024.png
Click to expand...
  • Like
  • +Reputation
 
  • Like
Reactions: Brownie2019, Zartarra, Parkinsond and 3 others
Executive Summary

Confirmed Facts
Threat actors operating under the fabricated shell company "TrustConnect Software PTY LTD" successfully acquired an Extended Validation (EV) certificate to digitally sign malware payloads, distributing them via phishing links that mimic legitimate updates for applications like Zoom and Microsoft Teams.

Assessment
By silently deploying legitimate Remote Monitoring and Management (RMM) software, the attackers seamlessly blend malicious remote access into normal network traffic, which suggests a highly organized Malware-as-a-Service (MaaS) architecture designed to evade traditional signature-based detections.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1566.001
Phishing: Spearphishing Attachment / Link

T1553.002
Subvert Trust Controls: Code Signing

T1059.001
Command and Scripting Interpreter: PowerShell

T1543.003
Create or Modify System Process: Windows Service

T1547.001
Boot or Logon Autostart Execution: Registry Run Keys

T1219
Remote Access Software

CVE Profile
NVD Score: N/A
(Social Engineering / Legitimate Feature Abuse)
CISA KEV Status: Inactive.

Telemetry

IPs
136[.]0[.]157[.]51
154[.]16[.]171[.]203
173[.]195[.]100[.]77
66[.]150[.]196[.]166.

Domains
Trustconnectsoftware[.]com
Pacdashed[.]com
server[.]yakabanskreen[.]top
app[.]amazonwindowsprime[.]com.

Hashes
Unknown (Origin: Insufficient Evidence).

Registry Keys
Windows Run key (Exact hive/path: Unknown / Insufficient Evidence).

Constraint
The structure resembles a multi-stage dropper built to obfuscate its final RMM payload (e.g., ScreenConnect, Tactical RMM, Mesh Agent) through highly trusted delivery mechanisms.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Revoke trust globally for any software signed by the "TrustConnect Software PTY LTD" EV certificate and update Supply Chain Risk protocols.

DETECT (DE) – Monitoring & Analysis

Command
Query SIEM and EDR for anomalous network connections to known malicious domains such as [suspicious link removed] and hardcoded IPs like 136[.]0[.]157[.]51.

Command
Implement strict hunting queries for unexpected installations of ScreenConnect, Tactical RMM, or Mesh Agent originating from the Program Files directory via PowerShell.

RESPOND (RS) – Mitigation & Containment

Command
Isolate affected hosts from the production network immediately.

Command
Terminate illicit Windows services and purge associated Registry Run keys created by the payload.

RECOVER (RC) – Restoration & Trust

Command
Validate a clean state by auditing endpoints for residual unauthorized RMM agents prior to phased network restoration.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Deploy application control (e.g., WDAC or AppLocker) to strictly baseline approved IT management tools, ensuring unapproved RMMs cannot execute regardless of signature status.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately. (Vulnerability confirmed across default Windows environments).

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords and cycle MFA tokens using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and the System Registry for unauthorized startup applications.

Command
Manually review installed programs for unapproved remote access software (e.g., ScreenConnect, Mesh Agent) and uninstall them.

Hardening & References

Baseline
CIS Benchmarks for Windows 10/11 (Application Whitelisting / PowerShell Execution Policies).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Microsoft Security Response / Threat Intelligence

Neowin Technology News
Click to expand...
 
  • Like
Reactions: Zartarra and harlan4096

You may also like...