alt=Close-up of a Social Security card beside a paycheck showing earnings, federal and Medicare with check numbers visible.
Cyber security
2025-05-06 Post a Comment

Fake Social Security Statement emails trick users into installing remote tool

by Pieter Arntz:

Fake emails pretending to come from the US Social Security Administration (SSA) try to get targets to install ScreenConnect, a remote access tool.

This campaign was flagged and investigated by the Malwarebytes Customer Support and Research teams.

ScreenConnect, formerly known as ConnectWise Control, is a remote support and remote access platform widely used by businesses to facilitate IT support and troubleshooting. It allows technicians to remotely connect to users’ computers to perform tasks such as software installation, system configuration, and to resolve issues.

Because ScreenConnect provides full remote control capabilities, an unauthorized user with access can operate your computer as if they were physically present. This includes running scripts, executing commands, transferring files, and even installing malware—all potentially without you realizing.

This makes ScreenConnect a dangerous tool in the hands of cybercriminals. A phishing group dubbed Molatori—because of the domains they use to host the ScreenConnect client—has been found to lure their targets into installing the ScreenConnect clients by sending emails pretending to come from the Social Security Administration (SSA):

example SSA email

“Your Social Security Statement is now available
Thank you for choosing to receive your statements electronically.
Your document is now ready for download:

  • Please download the attachment and follow the provided instructions.
  • NOTE: Statements & Documents are only compatible with PC/Windows systems.”

There are some variations to this mail in circulation but the example above shows how legitimate these emails look.

The link in the email leads to the ScreenConnect support.Client.exe, but was found under several misleading names like ReceiptApirl2025Pdfc.exe, and SSAstatment11April.exe.

After cybercriminals install the client on the target’s computer, they remotely connect to it and immediately begin their malicious activities. They access and exfiltrate sensitive information such as banking details, personal identification numbers, and confidential files. This stolen data can then be used to commit identity theft, financial fraud, and other harmful acts. Experts have identified financial fraud as the primary objective of the Molatori group.

There are several circumstances that make this campaign hard to detect:

  • The cybercriminals send phishing emails from compromised WordPress sites, so the domains themselves appear legitimate and not malicious.
  • They often embed the email content as an image, which prevents email filters from effectively scanning and blocking the message.
  • ScreenConnect is a legitimate application which happens to be abused because of its capabilities.

What we can do

When receiving unsolicited emails there are a few necessary precautions you can take to avoid falling for phishing:

  • Verify the source of the email through independent sources.
  • Don’t click on links until you are sure they are non-malicous.
  • Don’t open downloaded files or attachments until you are sure they are safe.
  • Use an up-to-date and active anti-malware solution.
  • If you suspect an email isn’t legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.

Malwarebytes users are protected

Malwarebytes will detect suspicious instances of the ScreenConnect client as RiskWare.ConnectWise.CST.

Malwarebytes blocks RiskWare.ConnectWise.CST

And blocks connections to these associated domains:

  • atmolatori[.]icu
  • gomolatori[.]cyou
  • molatoriby[.]cyou
  • molatorier[.]cyou
  • molatorier[.]icu
  • molatoriist[.]cyou
  • molatorila[.]cyou
  • molatoriora[.]cyou
  • molatoriora[.]icu
  • molatoripro[.]cyou
  • molatoripro[.]icu
  • molatorisy[.]cyou
  • molatorisy[.]icu
  • onmolatori[.]icu
  • promolatori[.]icu
  • samolatori[.]cyou
  • samolatori[.]icu
  • umolatori[.]icu

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

read more
alt=A hooded figure types on a keyboard in a dark room, focused on multiple screens displaying financial charts and code.
Cyber security
2025-04-26 Post a Comment

North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures

î „Ravie Lakshmanan

North Korea-linked threat actors behind the Contagious Interview have set up front companies as a way to distribute malware during the fake hiring process.

“In this new campaign, the threat actor group is using three front companies in the cryptocurrency consulting industry—BlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide LLC (softglide[.]co)—to spread malware via ‘job interview lures,” Silent Push said in a deep-dive analysis.

The activity, the cybersecurity company said, is being used to distribute three different known malware families, BeaverTail, InvisibleFerret, and OtterCookie.

Contagious Interview is one of the several job-themed social engineering campaigns orchestrated by North Korea to entice targets into downloading cross-platform malware under the pretext of coding assignment or fixing an issue with their browser when turning on camera during a video assessment.

The activity is tracked by the broader cybersecurity community under the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, UNC5342, and Void Dokkaebi.

The use of front companies for malware propagation, complemented by setting up fraudulent accounts on Facebook, LinkedIn, Pinterest, X, Medium, GitHub, and GitLab, marks a new escalation for the threat actors, who have been observed using various job boards to lure victims.

“The BlockNovas front company has 14 people allegedly working for them, however many of the employee personas […] appear to be fake,” Silent Push said. “When viewing the ‘About Us’ page of blocknovas[.]com via the Wayback Machine, the group claimed to have been operating for ’12+ years’ – which is 11 years longer than the business has been registered.”

The attacks lead to the deployment of a JavaScript stealer and loader called BeaverTail, which is then used to drop a Python backdoor referred to as InvisibleFerret that can establish persistence on Windows, Linux, and macOS hosts. Select infection chains have also been found to serve another malware codenamed OtterCookie via the same JavaScript payload used to launch BeaverTail.

BlockNovas has been observed using video assessments to distribute FROSTYFERRET and GolangGhost using ClickFix-related lures, a tactic that was detailed earlier this month by Sekoia, which is tracking the activity under the name ClickFake Interview.

BeaverTail is configured to contact an external server (“lianxinxiao[.]com”) for command-and-control (C2) to serve InvisibleFerret as the follow-up payload. It comes with various features to harvest system information, launch a reverse shell, download additional modules to steal browser data, files, and initiate the installation of the AnyDesk remote access software.

Further analysis of the malicious infrastructure has revealed the presence of a “Status Dashboard” hosted on one of BlockNovas’ subdomains to maintain visibility into four of their domains: lianxinxiao[.]com, angeloperonline[.]online, and softglide[.]co.

A separate subdomain, mail.blocknovas[.]com domain, has also been found to be hosting an open-source, distributed password cracking management system called Hashtopolis. The fake recruitment drives have led to at least one developer getting their MetaMask wallet allegedly compromised in September 2024.

That’s not all. The threat actors also appear to be hosting a tool named Kryptoneer on the domain attisscmo[.]com that offers the ability to connect to cryptocurrency wallets such as Suiet Wallet, Ethos Wallet, and Sui Wallet.

“It’s possible that North Korean threat actors have made additional efforts to target the Sui blockchain, or this domain may be used within job application processes as an example of the ‘crypto project’ being worked on,” Silent Push said.

BlockNovas, according to an independent report published by Trend Micro, also advertised in December 2024 an open position for a senior software engineer on LinkedIn, specifically targeting Ukrainian IT professionals.

As of April 23, 2025, the BlockNovas domain has been seized by the U.S. Federal Bureau of Investigation (FBI) as part of a law enforcement action against North Korean cyber actors for using it to “deceive individuals with fake job postings and distribute malware.”

Besides using services like Astrill VPN and residential proxies to obfuscate their infrastructure and activities, a noteworthy aspect of the malicious activity is the use of artificial intelligence (AI)-powered tools like Remaker to create profile pictures.

The cybersecurity company, in its analysis of the Contagious Interview campaign, said it identified five Russian IP ranges that have been used to carry out the operation. These IP addresses are obscured by a VPN layer, a proxy layer, or an RDP layer.

“The Russian IP address ranges, which are concealed by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two companies in Khasan and Khabarovsk,” security researchers Feike Hacquebord and Stephen Hilt said.

“Khasan is a mile from the North Korea-Russia border, and Khabarovsk is known for its economic and cultural ties with North Korea.”

If Contagious Interview is one side of the coin, the other is the fraudulent IT worker threat known as Wagemole, which refers to a tactic that involves crafting fake personas using AI to get their IT workers hired remotely as employees at major companies.

These efforts have dual motivations, designed to steal sensitive data and pursue financial gain by funneling a chunk of the monthly salaries back to the Democratic People’s Republic of Korea (DPRK).

“Facilitators are now using GenAI-based tools to optimize every step in the process of applying and interviewing for roles and to aid DPRK nationals attempting to maintain this employment,” Okta said.

“These GenAI-enhanced services are required to manage the scheduling of job interviews with multiple DPRK candidate personas by a small cadre of facilitators. These services use GenAI in everything from tools that transcribe or summarize conversations, to real-time translation of voice and text.”

Telemetry data gathered by Trend Micro points to the Pyongyang-aligned threat actors working from China, Russia, and Pakistan, while using the Russian IP ranges to connect to dozens of VPS servers over RDP and then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services.

“Given that a significant portion of the deeper layers of the North Korean actors’ anonymization network is in Russia, it is plausible, with low to medium confidence, that some form of intentional cooperation or infrastructure sharing exists between North Korea and Russian entities,” the company said.

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights