Full Report
Cybercriminals are using fake Social Security Administration emails to distribute the ScreenConnect RAT (Remote Access Trojan) and compromise…
Analysis Summary
# Tool/Technique: ScreenConnect RAT
## Overview
ScreenConnect is being deployed via phishing emails impersonating the Social Security Administration (SSA) to gain initial access and establish remote control over victim systems.
## Technical Details
- Type: Remote Access Trojan (RAT) delivered via Phishing
- Platform: Not explicitly stated, but ScreenConnect typically targets Windows environments for RAT usage.
- Capabilities: Remote desktop control, system access.
- First Seen: Information not available in the context provided.
## MITRE ATT&CK Mapping
*Note: As the article only states that ScreenConnect is used as a RAT following a phishing campaign, the mappings focus on the delivery method and the likely RAT activity.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Likely, if an attachment delivers the payload)
- T1566.002 - Spearphishing Link (Likely, if a link within the email initiates download/execution)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (ScreenConnect uses its legitimate protocol for C2)
## Functionality
### Core Capabilities
- Delivering a Remote Access Trojan (RAT) payload through social engineering (SSA impersonating emails).
- Establishing persistent, remote control over the compromised endpoint.
### Advanced Features
- Utilizing ScreenConnect, a legitimate remote support tool, allows the malware to blend in with regular remote administration traffic, aiding in evading detection.
## Indicators of Compromise
- File Hashes: [Not available in the context]
- File Names: [Not available in the context]
- Registry Keys: [Not available in the context]
- Network Indicators: [ScreenConnect C2 traffic patterns, specific to the deployment infrastructure, not specified in detail]
- Behavioral Indicators: Execution following an SSA-themed email interaction; atypical outbound connections on ScreenConnect ports.
## Associated Threat Actors
- Threat actors utilizing this specific SSA phishing campaign are not explicitly named in the provided text.
## Detection Methods
- Signature-based detection: Signatures for the specific ScreenConnect executable deployed in this campaign.
- Behavioral detection: Monitoring for the execution of remote access software or unusual outbound connections characteristic of ScreenConnect C2.
- YARA rules: [Not available in the context]
## Mitigation Strategies
- Prevention measures: User training against SSA-themed phishing emails.
- Hardening recommendations: Network filtering for outbound ScreenConnect traffic unless expected, application whitelisting to prevent unauthorized remote access tools from running.
## Related Tools/Techniques
- Phishing/Spearphishing (Delivery Mechanism).
- Other legitimate tools abused as RATs (e.g., TeamViewer, AnyDesk).