A ransomware group is spoofing organisations’ IT department numbers to place social engineering calls, in which they masquerade as IT support.
That’s according to security firm Sophos, which said it has tracked 55 attacks by the group, dubbed 3AM, which is using familiar tactics, with a twist.
The ransomware group is “using ‘email bombing’ to overload a targeted organization’s employee with unwanted emails, and then making a voice or video call over Microsoft Teams posing as a tech support team member to deceive that employee into allowing remote access to their computer,”.
That’s a technique seen since at least early 2024 by Microsoft itself.
In this case, after careful reconnaissance of target organisations, including scanning for email addresses, internal phone numbers and more, the 3AM attackers used a phone call that spoofed the number of IT support, successfully persuading them that they needed remote access to their computer using Microsoft Quick Assist to fix the purported security issue.
Once in, said Sophos, they ran a Qemu emulator binary, and deployed a Windows 7 virtual machine (VM) to the breached computer, “providing the attackers with an initial foothold hidden from the view of endpoint protection software” via a “QDoor” trojan that ran on the installed VM.
At no point were admin privileges required. Hours later, they pivoted to and compromised a domain services account and executed PowerShell on one of the organization’s servers. (Sophos incident response was not able to determine how the attackers later also got domain admin, saying “no forensic artifacts were available to explain how that compromise occurred.”)
“ Multifactor authentication was implemented for RDP access for all user accounts. These measures frustrated further efforts by the threat actor to move laterally. MFA prevented the threat actor from establishing interactive sessions over RDP. However, it did not protect against the continued use of WMIC and remote PowerShell activity,” Sophos noted, saying in its report that the ransomware group deployed a range of measures to move laterally through a network, ultimately identifying a single server without Sophos EDR protection and using it to target 88 computers with ransomware in a largely failed attack (Thanks to EDR on the machines and widespread MFA.)
The initial social engineering was in part successful due to the “sense of urgency driven by… an onslaught of unwanted emails suddenly disrupting their workday,” noted Sophos, urging CISOs to ensure they “educate staff on the exact ways IT support will contact them, under what circumstances, and which tools they will use to provide remote technical support…”
The link has been copied!
