A sophisticated phishing campaign is actively targeting Windows users, luring them into installing remote access tools through seemingly innocuous party invitations. This new threat leverages social engineering tactics to trick individuals into downloading and executing a malicious installer disguised as an RSVP, ultimately granting attackers unrestricted control over their systems. The primary keyword for this news article is “malicious party invitations”.
The campaign, identified by Malwarebytes researchers, begins with emails designed to appear as legitimate party invitations from known contacts. These emails, often originating from compromised accounts, employ an informal tone and genuine social context to lower recipients’ guard. The ultimate goal of this attack is to install ScreenConnect, a legitimate remote support tool, on victim computers, enabling threat actors to gain complete remote access.
Beware of Malicious Party Invitations and ScreenConnect Exploitation
Users receiving these deceptive emails are directed to a convincing fake event invitation webpage. This landing page features a prominent “You’re Invited!” headline and messages that suggest the invitation was sent by a friend and is best viewed on a Windows device. A countdown timer is used to create a sense of urgency, implying that the download has already begun. Social proof statements, such as “I opened mine and it was so easy!”, further encourage users to proceed.
Consequently, the victim’s browser automatically downloads a file named RSVPPartyInvitationCard.msi. This MSI file, however, is not an invitation but an installer designed to silently deploy ScreenConnect Client onto the user’s Windows computer. Researchers noted that this installation process occurs without prominent user notifications, making it difficult for victims to detect the intrusion.
The Mechanics of the ScreenConnect Attack
Upon successful installation, the ScreenConnect binaries are placed in the C:Program Files (x86)ScreenConnect Client directory. To maintain persistence, a Windows service is created with a randomized name, for example, “ScreenConnect Client 18d1648b87bb3023”. This service ensures that ScreenConnect can operate even after system reboots.
Once operational, ScreenConnect establishes encrypted HTTPS connections to its relay servers via a unique instance domain. This connection effectively mirrors the functionality of a legitimate remote IT support session, granting attackers the ability to view the victim’s screen in real-time, control their mouse and keyboard, upload or download files, and maintain access persistently.
Evading Traditional Security Measures
A significant challenge in detecting this threat is that ScreenConnect is a legitimate and widely used tool for remote support. Consequently, traditional security software may not flag its presence as malicious. The compromise often becomes apparent through behavioral anomalies, such as unexplained cursor movements, unexpected window openings, or the presence of unfamiliar background processes that the user did not initiate.
Malwarebytes researchers have primarily observed this campaign targeting users in the United Kingdom. However, they caution that there are no technical limitations preventing its rapid expansion to other geographical regions. Users are advised to exercise extreme caution when clicking on links or downloading files from unexpected or unsolicited emails, especially those that attempt to create a sense of urgency or rely on social contexts for engagement. Understanding the tactics behind these malicious party invitations is crucial for safeguarding digital assets.
The findings suggest that threat actors are increasingly leveraging legitimate software for malicious purposes, making detection and prevention more complex. The ongoing nature of this campaign indicates a continued effort by attackers to exploit user trust and the common functionalities of remote access software. Further monitoring will be necessary to assess the scale and evolution of this particular threat, as well as the broader trend of abusing legitimate tools for cybercrime.