A recent phishing campaign is deceiving financial companies by using counterfeit Adobe Document Cloud pages to install ScreenConnect malware on targeted systems. This operation is intricately designed, merging seamlessly with usual enterprise software activities.
Deceptive Tactics in Phishing Emails
The attackers initiate their strategy by dispatching phishing emails masquerading as legitimate Adobe Document Cloud file-sharing alerts. Recipients are informed of a confidential project document available for viewing, with a link directing them to a bogus Adobe page.
This link, however, guides users to a compromised WordPress site hosting an authentic-looking Adobe page, tricking them into unknowingly downloading malware. The malicious campaign, identified by Fortra’s Intelligence and Research Experts (FIRE) team, is dubbed ‘RatPressto’.
The phishing kit employed is not only reusable and privately managed but also enhances victim trust while evading security detection. Based on infrastructure linked to São Paulo, the campaign is believed to originate from a Brazilian threat actor.
Exploiting Legitimate Software
What sets this campaign apart is its use of legitimate software for concealment. Instead of creating custom malware, the attackers exploit ScreenConnect, a common remote administration tool, to gain control over infected systems.
The integration of malicious activities with regular business software traffic complicates detection by standard security tools. This campaign exhibits operational maturity, deploying a consistent infrastructure across multiple operations.
Numerous compromised websites were discovered hosting nearly identical phishing pages, differing only in victim-specific file names, suggesting a centralized management of a private phishing kit by a single group.
Role of Compromised WordPress Sites
A critical element of this operation is the misuse of inadequately secured WordPress sites to host the phishing kit. Investigators found multiple sites with exposed WordPress admin interfaces, likely accessed through stolen credentials or exploited plugins.
The phishing kit includes files like download.html, complete.php, and download.php, placed in WordPress-accessible directories. The pattern’s consistency indicates a deliberate tactic of compromising WordPress admin panels during deployment.
Organizations are urged to secure their WordPress environments by reviewing admin interfaces for exposure, implementing multi-factor authentication, and monitoring for unauthorized ScreenConnect installations. Network security should also focus on detecting outbound connections to TCP port 8041 and msiexec processes from temporary directories.
The indicators of compromise (IoCs) include domains such as cloud.zistopstoabetterlife.com, various compromised WordPress sites, and GitHub repositories used for staging malicious payloads.
For more updates, follow our coverage on Google News, LinkedIn, and X, and set CSN as a preferred source for the latest cybersecurity news.
