However, because this attack has been going on for two weeks, some endpoint protection tools (well, about a third of them) are catching on that this particular file is bad, and should feel bad.

https://www.virustotal.com/gui/file/13d71b884a0625f3aa3805fb779d95513d0485671ab8c090a0c790ceda071e63

The most important lesson here is that attackers always come up with new ways to evade detection. Using a commercially available, normally legitimate remote access tool with a valid cryptographic signature lets the attacker bypass some kinds of endpoint detection.

Remember to check the From: address in emails, and the destination of any links they point to. You can do this by hovering your mouse over the link without clicking, and waiting a second. If it says it's from the SSA, but it isn't pointing to SSA.gov, then it's a lie.

If you find content like this useful, please follow me here, or on LinkedIn: https://www.linkedin.com/in/andrew-brandt-9603682/

9/fin

When clicked, the button delivers malware, but it's an unexpected payload: A client installer for the commercial remote-access tool ConnectWise.

Every time I clicked the download link, it gave me the same file with six different random digits appended to the filename. Note that it is not, as the website implies, a PDF document, but a Windows executable file, with a .exe extension.

8/

This is where I tell you: don't do this! I am a trained professional. I click all the bad links so you don't have to. I am going to show you what happens next.

A button appears on this page, labeled "Access Your Statement." The site serving up this payload delivers a file named "Social Security Statement Documents [six digit random number].exe"

7/

Finally the target lands on a page on the InMotion site that closely resembles the look-and-feel of the content in the email message.

The page tells the visitor, in part "Download your statement as a PDF file" and "For security reasons, we recommend accessing your statement through your secure device."

Spoiler alert: It was not a PDF file.

(Edit: A reader informs me that this appears to be the hosting space used by the temp agency website, and that for whatever reason, the URL appears differently here.)

6/

The target's browser then lands on another website, hosted by a large hosting service, InMotion Hosting. As with the temp agency website, the attackers have set up multiple URLs on this site, where the first URL performs a 302 redirect to go to the second URL, for no apparent reason other than to create the URL equivalent of a Rube Goldberg contraption.

5/

That link then immediately 302 redirects the target's browser to a link on a second website, one that belongs to a temp agency based in the US state of Maryland.

The attackers have created two URLs on this company's site for this purpose. The first one redirects to the second one.

Again, the site appears to have been compromised and used specifically for the purpose of obfuscating the redirection chain.

4/

The first 302 redirect points to a page on a website belonging to a small business that has, apparently, been compromised and abused for this purpose.

3/

In this attack, the spammers have been sending emails that look like this official-appearing notification from the Social Security Administration.

The message says "Your Social Security Statement is ready to review" and includes a button at the bottom labeled "Download Statement."

The button links to a shortened URL that uses the link-shortening service t.ly to lead the target to a chain of 302 redirects. Malware spammers often do this to fool web reputation services and obfuscate the final destination of the link.

2/