This article details a sophisticated phishing campaign that leverages legitimate services and software to deploy a remote access tool. The attack begins with a targeted email impersonating "TradingView" sent via an abused reviews.io account, bypassing standard email filters. Victims are led through a redirect chain involving Google Sites and an anti-bot protected staging domain (latest-download.org) to a VBScript dropper. A critical finding is the VBScript's genuinely valid Authenticode signature, acquired through Microsoft Trusted Signing with a likely synthetic identity, highlighting a known abuse pattern where short-lived certificates remain valid on systems indefinitely.
The VBScript dropper downloads and executes an unmodified ScreenConnect.ClientSetup.msi, a legitimate remote access software, confirming the attackers' reliance on living-off-the-land techniques rather than custom malware. Analysis of the deployed ScreenConnect client revealed a self-hosted command and control (C2) server (area.usit-services.com:8041) running on a compromised Windows Server 2022 instance, identifiable by its default hostname and exposed RDP. Significantly, the C2 infrastructure was traced to Middlesex University, indicating that the threat actors are exploiting an unwitting institutional victim as their operational base.
The article concludes with a MITRE ATT&CK mapping of the techniques used, comprehensive Indicators of Compromise (IOCs), and actionable detection and response recommendations, emphasizing the need for robust email and endpoint security, and diligent monitoring for unauthorized remote access tool deployments. The incident has been reported to relevant security teams and authorities, underscoring the collaborative effort required to combat such multi-layered threats.
Top comments (0)