Chris Swagler | July 15th, 2022

In callback phishing emails, threat operators are pretending to be well-known cybersecurity companies like CrowdStrike to gain initial access to corporate networks. Most phishing campaigns involve links to landing pages where login credentials are stolen or emails with malicious attachments to install malware. Threat actors, in this case, have been using “callback” phishing campaigns more frequently over the past year, in which they pose as well-known companies asking people to call a number to resolve a problem, cancel a subscription, or discuss other issues. Threat actors utilize social engineering to convince users to install remote access software on their devices when targets call the number, gaining initial access to corporate networks. The entire Windows domain is then compromised using this access.

Threat actors are impersonating CrowdStrike in a new callback phishing campaign warning recipients that malicious network intruders have compromised their workstations and require an in-depth security audit. The callback phishing campaigns focus on social engineering, describing why they should be granted access to a recipient’s device. The fake email reads, “During the daily network audit we have identified abnormal activity related to the segment of the network which your workstation is part of. We have identified the specific domain admin which administered the network and suspect a potential compromise that can affect all workstations within this network including yours. Therefore, we are performing detailed audit of all workstations. We have already reached out directly to your information security department, however, to address potential compromise of location workstation, they referred us to the individual operators of these workstation, i.e. employees.”

The phishing email requests a phone call from the employees at the provided number to schedule the security audit of their workstations. The threat operators will instruct employees on how to install remote administration tools (RATs) allowing threat actors to gain complete control over the workstation. Having the ability to remotely install additional tools, threat actors can spread laterally through the network, steal companies’ data, and use ransomware to encrypt devices.

It is believed the campaign will culminate in a ransomware attack, as seen in previous callback phishing campaigns. Given the urgency of cyber breaches, CrowdStrike warns that this is the first known callback campaign impersonating cybersecurity companies. Analysts discovered a similar campaign where threat actors installed Cobalt Strike using AteraRMM and moved laterally across victims’ networks before deploying malware.

With the introduction of the BazarCall phishing campaigns used by the Conti ransomware group to gain initial access to companies’ networks in 2021, callback phishing campaigns became widespread. Callback phishing campaigns have utilized various baits, including online course renewals, and antivirus and support subscriptions. The campaign observed by CrowdStrike is believed to be run by the Quantum ransomware group, who started their own BazarCall-like campaign. Another cybersecurity company discovered that Quantum was preparing a new IOC, based on threat actors impersonating IT professionals from either Mandiant or CrowdStrike, to persuade victims to allow threat actors to review the victims’ machines.

In the current situation, with many employees working remotely from home and away from their IT teams, the potential for threat actors to succeed with phishing scams increases significantly. That’s why it’s important for companies to remain vigilant of the current threat landscape and educate employees to identify a potential phishing email scheme. At SpearTip, our technical architecture review services allow our engineers to engage with companies’ people, processes, and technology to measure the maturity of the technical environment. With firewall review, we analyze the configurations and interactions of companies’ network infrastructure with skilled penetration testers.

SpearTip discovers vulnerabilities in firewall systems and allows companies to dedicate their valuable resources to evaluate and prioritize fixes by providing visibility of network gaps, including false negatives. The ShadowSpear Platform, our advanced detection tool, is powered by artificial intelligence and attack tactics, techniques, and procedures models to detect malicious activities.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.