Ongoing uncertainty at the US Social Security Administration driven by DOGE activity has been making headlines for weeks. However these activities may unfold, any time there is uncertainty and fear it presents an opportunity for malicious actors looking to take advantage in any way that they can. That is just the case as we have seen an increase in recent weeks with malicious actors attempting to spread malware infections using Social Security themed emails.
The first example used the Social Security Administration theme by posing as a report of an inaccuracy and urged the recipient to click the URL to validate the information. Considering recent events this ruse may be viewed with a higher likelihood of validity than under ordinary circumstances. In the body of the message was an Ow[.]ly shortened link which disguised the true destination of the URL while simultaneously providing click tracking and engagement analytic feedback to the attacker.
Following the link, we were redirected to online[.]creatorcounter[.]com where a bogus Social Security Administration logo was displayed indicating the statement was downloading. However, the file downloading was an executable named SSA[.]Client[.]exe.
Upon download completion, the site redirected us to the legitimate US Social Security government site to add credibility. Upon execution of the downloaded file, the ConnectWise ScreenConnect remote support client was installed and connected to by the threat actor who the attempted to install the VIP Keylogger, though follow on payloads may vary.
Threat actors often use legitimate services to “Live Off the Land” while attempting to hide in plain sight and their use here of legitimate remote access services is nothing new. However, we have seen a recent uptick in malware actors using the ConnectWise ScreenConnect remote access tool. They do this to gain the initial foothold into the victim’s machine and connected network. Legit remote access tools used by administrators such as ScreenConnect, AnyConnect, TeamViewer, AnyDesk, LogMeIn, and others are one way threat actors attempt to fly under the radar of security services and monitoring.
Another attack that we quarantined spoofing the SSA claimed that recipient need to retrieve their social security statement. Following the link automatically downloads an executable file onto the target machine. This infection also led to the VIP Keylogger and was likely sent by the same group of threat actors as the previous sample.
Typically, the SSA will not send unsolicited emails that require any action by the recipient. We should always have a heightened level of vigilance surrounding emails claiming to be from the Social Security Administration, but this is a crucial time to keep that top of mind.
