- Security researchers at Cofense detect multiple phishing emails impersonating the US Social Security Administration.
- The goal was to implement the ConnectWise remote access trojan
- Email frequency increased in the days leading up to the 2024 US presidential election
Experts have warned that cybercriminals are impersonating the US Social Security Administration in an attempt to install Remote Access Trojan (RAT) malware on people’s devices.
Cybersecurity researchers at Cofense observed a phishing campaign, which slowly accelerated in the days and weeks leading up to the 2024 US presidential election.
The goal of the campaign was to distribute ConnectWise RAT, a tainted and malicious use of legitimate software called ConnectWise Control (formerly ScreenConnect).
ConnectWise RAT
In an in-depth analysis, Cofense said it observed multiple variants of the same phishing campaign, in which criminals mocked the Social Security Administration and claimed to provide an updated benefit statement. Most of the time, the false statement would come in the form of a mismatch link (a link that does not lead to where it says it will lead). Sometimes threat actors attempted to hide the link behind a “View Statement” button.
The campaign most likely began in mid-September 2024, when it was first observed by Cofense. The second sample arrived a month later, after which the frequency gradually increased until mid-November.
“While additional emails were seen in late November, this campaign reached its peak volume on November 11 and 12, a week after Election Day,” Cofense concluded.
ConnectWise Control is a legitimate remote desktop and support tool, but in this scenario, it is used to gain unauthorized access to victims’ devices. Cybercriminals exploit the software’s legitimate capabilities by deploying it stealthily, often combining it with malware or phishing schemes. Once installed, the RAT allows threat actors to remotely control systems, steal sensitive data, deploy additional malware, and monitor the victim’s computing activity.
Legitimate software is often used for malicious purposes, as malware removal and endpoint security services often do not recognize them as a threat.
