BleepingComputer reports that highly targeted intrusions involving email bombing and fake IT support calls have been launched by threat actors linked to the 3AM ransomware operation during the first quarter of this year.
Attacks commenced with an IT department-impersonating phone call coinciding with a wave of two dozen unwanted emails luring the targeted organizations' employee to open Microosft Quick Assist and permit remote access before proceeding with the download and extraction of a nefarious archive with the QEMU emulator, a VBS script, and a QDoor backdoor-loaded Windows 7 image, according to an analysis from Sophos. Exploitation of QEMU allowed covert compromise and reconnaissance efforts resulting in XEOXRemote remote monitoring and management tool installation and domain admin account infiltration, which then led to the theft of 868 GB of data, noted Sophos, which was able to limit the attack's impact on the breached host. Sophos said that such an intrusion should prompt improved admin account audits and XDR tool implementation.
Attacks commenced with an IT department-impersonating phone call coinciding with a wave of two dozen unwanted emails luring the targeted organizations' employee to open Microosft Quick Assist and permit remote access before proceeding with the download and extraction of a nefarious archive with the QEMU emulator, a VBS script, and a QDoor backdoor-loaded Windows 7 image, according to an analysis from Sophos. Exploitation of QEMU allowed covert compromise and reconnaissance efforts resulting in XEOXRemote remote monitoring and management tool installation and domain admin account infiltration, which then led to the theft of 868 GB of data, noted Sophos, which was able to limit the attack's impact on the breached host. Sophos said that such an intrusion should prompt improved admin account audits and XDR tool implementation.
