Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
- Cofense security researchers have seen several phishing emails impersonating the US Social Security Administration
- The goal was to deploy the ConnectWise Remote Access Trojan
- Email frequency increased in the days leading up to the 2024 US presidential election
Cybercriminals impersonate the US Social Security Administration in an attempt to install a Remote Access Trojan (RAT) malware on people’s devices, experts warned.
Cofense cybersecurity researchers have observed a phishing campaign, which has slowly picked up pace in the days and weeks leading up to the 2024 US presidential election.
The goal of the campaign was to distribute the ConnectWise RAT – a tainted and malicious use of otherwise legitimate software called ConnectWise Control (formerly ScreenConnect).
ConnectWise RAT
In a depth analysisCofense said it has observed several variants of the same phishing campaign, in which crooks spoof the Social Security Administration and claim to provide an updated statement of benefits. Most of the time, the false claim comes in the form of a mismatched link (a link that doesn’t lead where it says it leads). Sometimes, threat actors try to hide the link behind a “View Statement” button.
The campaign probably started in mid-September 2024, when it was first observed by Cofense. The second sample came a month later, after which the frequency gradually increased until mid-November.
“While additional emails were seen in late November, this campaign reached peak volume on November 11 and 12, a week after Election Day,” Cofense concluded.
ConnectWise Control is a legitimate remote desktop and support tool, but in this scenario, it is used to gain unauthorized access to the victims’ devices. Cybercriminals exploit legitimate software capabilities by deploying them stealthily, often bundling them with malware or phishing schemes. Once installed, the RAT allows threat actors to remotely control systems, steal sensitive data, deploy additional malware, and monitor the victim’s computer activity.
Legitimate software is often used for malicious purposes, as endpoint security and malware removal services often do not recognize it as a threat.
