Hackers are impersonating well-known cybersecurity companies, such as CrowdStrike, in callback phishing emails to gain initial access to corporate networks.

Most phishing campaigns embed links to landing pages that steal login credentials or emails that include malicious attachments to install malware.

However, over the past year, threat actors have increasingly used "callback" phishing campaigns that impersonate well-known companies requesting you call a number to resolve a problem, cancel a subscription renewal, or discuss another issue.

When the target calls the numbers, the threat actors use social engineering to convince users to install remote access software on their devices, providing initial access to corporate networks. This access is then used to compromise the entire Windows domain.

Impersonating cybersecurity firms

In a new callback phishing campaign, the hackers are impersonating CrowdStrike to warn recipients that malicious network intruders have compromised their workstations and that an in-depth security audit is required.

Phishing email impersonating CrowdStrike

These callback phishing campaigns are focused on social engineering, explaining in detail why they should be given access to a recipient's device, as shown in the email snippet below.

"During the daily network audit we have identified abnormal activity related to the segment of the network which your work station is part of. We have identified the specific domain admin which administered the network and suspect a potential compromise that can affect all workstations within this network including yours. Therefore, we are performing detailed audit of all workstations.

We have already reached out directly to your information security department, however, to address potential compromise of location workstation, they referred us to the individual operators of these workstation, i.e. employees."

Ultimately, the phishing email asks the employees to call them on an enclosed phone number to schedule the security audit of their workstations.

If called, the hackers will guide the employee through installing remote administration tools (RATs) that allow the threat actors to gain complete control over the workstation.

These threat actors can now remotely install additional tools that allow them to spread laterally through the network, steal corporate data, and potentially deploy ransomware to encrypt devices.

In a report by CrowdStrike, the company believes this campaign will likely lead to a ransomware attack, as was seen with previous callback phishing campaigns.

"This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches," warns CrowdStrike.

CrowdStrike notes that in March 2022, its analysts identified a similar campaign in which threat actors used AteraRMM to install Cobalt Strike and then move laterally on the victim's network before they deployed malware.

Possibly linked to Quantum ransomware

Callback phishing campaigns became common in 2021 with the launch of the BazarCall phishing campaigns used by the Conti ransomware gang to gain initial access to corporate networks.

Since then, callback phishing campaigns have used various lures, including antivirus and support subscriptions and online course renewals.

AdvIntel's Vitali Kremez told BleepingComputer that the campaign seen by CrowdStrike is believed to be conducted by the Quantum ransomware gang, who have launched their own BazarCall-like campaign.

"AdvIntel discovered on June 21, 2022, that Quantum was preparing a new IOC based on a threat actor impersonating either a Mandiant or CrowdStrike IT professional in an effort to convince a victim to allow the threat actor to perform a “review” of the victim’s machine." read a report from the company's Andariel Threat Prevention solution shared with BleepingComputer.

Quantum is one of the fastest rising enterprise-targeting ransomware operations at this time, recently attributed to an attack on PFC that impacted over 650 healthcare orgs.

Security analysts have also confirmed that many former Conti members have jumped ship to Quantum after the former operation shut down due to increased scrutiny by researchers and law enforcement.

While it would be hard for such phishing emails to find mass success in the past, in the current situation, with many employees working remotely from home and away from their IT team, the prospects for the threat actors significantly increase.

Related Articles:

New Darcula phishing service targets iPhone users via iMessage

Ransomware as a Service and the Strange Economics of the Dark Web

What the Latest Ransomware Attacks Teach About Defending Networks

Need to Know: Key Takeaways from the Latest Phishing Attacks

The Week in Ransomware - February 2nd 2024 - No honor among thieves