Full Report
Cybercriminals still allowed to walk into office blocks and convince staff to let them plug in their own thumb drives
Analysis Summary
# Tool/Technique: Physical Social Engineering & Callback Phishing (Silent Ransom Group)
## Overview
This technique involves a hybrid approach to corporate espionage and extortion, where threat actors combine remote social engineering (callback phishing) with physical "on-site" visits. The goal is to gain direct physical or remote access to a victim's workstation to exfiltrate sensitive data for extortion purposes, specifically targeting the legal sector.
## Technical Details
- **Type**: Technique / Social Engineering
- **Platform**: Windows, macOS (Corporate Workstations)
- **Capabilities**: Data exfiltration, credential theft, remote access establishment, physical device imaging.
- **First Seen**: Group active since 2022; Physical "in-person" variants reported in Spring 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.004 - Phishing: Voice Phishing (Vishing/Callback Phishing)]
- [T1091 - Replication Through Removable Media]
- [T1190 - Exploit Public-Facing Application] (N/A in this context, focus is on [T14567 - Hardware Additions])
- **[TA0009 - Collection]**
- [T1005 - Data from Local System]
- **[TA0010 - Exfiltration]**
- [T1011.001 - Exfiltration Over Physical Medium: Exfiltration over USB]
- [T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage]
## Functionality
### Core Capabilities
* **Callback Phishing:** Sending SMS or emails regarding fake subscriptions or security alerts to bait victims into calling a fraudulent support number.
* **Remote Access Session:** Compelling users to install remote desktop software to grant the attacker access to the machine.
* **Physical Data Theft:** Impersonating IT staff to gain physical access to office blocks and plugging in USB thumb drives to "image" or "backup" files.
### Advanced Features
* **Tool Masquerading:** Using disguised versions of legitimate tools like `Rclone` to bypass detection during data transfer.
* **Abuse of Trusted Platforms:** Using the victim’s own internal Google Drive or Microsoft OneDrive accounts to stage and move stolen documents to evade network DLP (Data Loss Prevention).
## Indicators of Compromise
- **File Names:** Disguised versions of `rclone.exe`, `winscp.exe`.
- **Network Indicators:**
- Outbound connections to unauthorized cloud storage providers (Google Drive, OneDrive).
- Unauthorized use of Port 22 (SSH) for encrypted data transfer.
- **Behavioral Indicators:**
- Unexpected creation of local backups or "disk images" by non-IT personnel.
- Execution of remote desktop software (TeamViewer, AnyDesk, etc.) initiated by a phone call request.
- Massive data uploads to cloud storage shortly after a "tech support" interaction.
## Associated Threat Actors
- **Silent Ransom Group (SRG):** Also known as Luna Moth or Hello Kitty (associated variants). Known for "hack-and-leak" extortion without deploying ransomware.
## Detection Methods
- **Signature-based detection:** Monitoring for known hashes of `Rclone` and `WinSCP` in unauthorized directories (e.g., `\Temp\`).
- **Behavioral detection:**
- Alerting on the insertion of unauthorized USB mass storage devices in sensitive environments.
- Monitoring for "Impossible Travel" or unusual logins coinciding with external support calls.
- Detection of remote access tools being downloaded and executed from user profiles.
## Mitigation Strategies
- **Prevention measures:**
- **Physical Security:** Implement strict visitor management and identity verification for all "IT Support" personnel.
- **USB Blocking:** Disable USB mass storage ports via Group Policy (GPO) or Endpoint Detection and Response (EDR) solutions.
- **Hardening recommendations:**
- Implement Multi-Factor Authentication (MFA) across all services.
- Block Port 22 (SSH) at the network perimeter for standard workstations.
- Restricted use of administrative privileges; prevent standard users from installing remote desktop software.
## Related Tools/Techniques
- **Rclone:** Command-line program used to manage files on cloud storage (frequently abused).
- **WinSCP:** SFTP/FTP client used for data exfiltration.
- **Baiting:** A classic social engineering technique of which the USB "drop" or "plug-in" is a variant.
- **Luna Moth / Callback Phishing:** The broader trend of using telephone-directed attacks (TDPAs).