Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   3AM ransomware uses spoofed IT calls, email bombing to breach networks (http://txgate.io:443/showthread.php?t=51296611)

WWW 05-26-2025 12:03 PM
<div id="post_message_792973">

A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems.<br/>
<br/>
This tactic was previously linked to the Black Basta ransomware gang and later observed in <a href="https://www.bleepingcomputer.com/news/security/ransomware-gangs-pose-as-it-support-in-microsoft-teams-phishing-attacks/" target="_blank">FIN7 attacks</a>, but its effectiveness has driven a wider adoption.<br/>
<br/>
Sophos reports seeing at least 55 attacks leveraging this technique between November 2024 and January 2025, linked to two distinct threat clusters.<br/>
<br/>
Those attacks followed the BlackBasta playbook, including email bombing, vishing via Microsoft Teams, and Quick Assist abuse. The leak of Black Basta's internal conversations helped other threat actors get up to speed, as it included a template to use during Microsoft Teams phishing attacks impersonating IT help desks.<br/>
<br/>
The 3AM ransomware attack, targeting a Sophos client, occurred in the first quarter of 2025 and used a similar approach but with a twist of real phone phishing instead of Microsoft Teams.<br/>
<br/>
The threat actors spoofed the target's real IT department's phone number to make the call appear legitimate. The call happened during an email bombing wave of 24 unsolicited emails received in three minutes.<br/>
<br/>
The attacker convinced the employee to open Microsoft Quick Assist and grant remote access, supposedly as a response to malicious activity.<br/>
<br/>
Those attacks followed the <a href="https://www.bleepingcomputer.com/news/security/black-basta-ransomware-poses-as-it-support-on-microsoft-teams-to-breach-networks/" target="_blank">BlackBasta playbook</a>, including email bombing, vishing via Microsoft Teams, and Quick Assist abuse. The<a href="https://www.bleepingcomputer.com/news/security/black-basta-ransomware-gang-s-internal-chat-logs-leak-online/" target="_blank"> leak of Black Basta's internal conversations</a> helped other threat actors get up to speed, as it included a template to use during Microsoft Teams phishing attacks impersonating IT help desks.<br/>
<br/>
The 3AM ransomware attack, <a href="https://news.sophos.com/en-us/2025/05/20/a-familiar-playbook-with-a-twist-3am-ransomware-actors-dropped-virtual-machine-with-vishing-and-quick-assist/" target="_blank">targeting a Sophos client</a>, occurred in the first quarter of 2025 and used a similar approach but with a twist of real phone phishing instead of Microsoft Teams.<br/>
<br/>
The threat actors spoofed the target's real IT department's phone number to make the call appear legitimate. The call happened during an email bombing wave of 24 unsolicited emails received in three minutes.<br/>
<br/>
The attacker convinced the employee to open Microsoft Quick Assist and grant remote access, supposedly as a response to malicious activity.<br/>
<br/>
Next, the attacker downloaded and extracted a malicious archive from a spoofed domain, containing a VBS script, a QEMU emulator, and a Windows 7 image pre-loaded with QDoor backdoor.<br/>
<br/>
QEMU was used to <a href="https://www.bleepingcomputer.com/news/security/hackers-abuse-qemu-to-covertly-tunnel-network-traffic-in-cyberattacks/" target="_blank">evade detection</a> by routing network traffic through virtual machines created on the platform, which allowed persistent, yet undetected, access to the network.<br/>
<br/>
Through this means, the attackers performed reconnaissance using WMIC and PowerShell, created a local admin account to connect via RDP, installed the commercial RMM tool XEOXRemote, and compromised a domain administrator account.<br/>
<br/>
Although Sophos says its products blocked lateral movement and defense deactivation attempts, the attacker still exfiltrated 868 GB of data to Backblaze cloud storage using the GoodSync tool.<br/>
<br/>
Sophos' tools also blocked subsequent attempts to run the 3AM ransomware encryptor, so the damage was contained to data theft and the encryption of the compromised host.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/May/note.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

The dropped 3AM ransom note

</td>
</tr>
</table>
</div>The attack lasted 9 days, with data theft concluded by day three, with the threat actors subsequently blocked from spreading further.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/May/timeline.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Attack timeline

</td>
</tr>
</table>
</div>Sophos suggested several key defense steps that can be taken to block these attacks, including auditing administrative accounts for poor security, using XDR tools to block unapproved legitimate tools like QEMU and GoodSync, and enforcing signed scripts only via PowerShell execution policies.<br/>
<br/>
It is also recommended that <a href="https://github.com/sophoslabs/IoCs" target="_blank">available indicators of compromise</a> be used to set up blocklists that prevent intrusion from known malicious sources.<br/>
<br/>
Ultimately, email bombing and voice phishing can only be effectively blocked by increasing employee awareness.<br/>
<br/>
The 3AM ransomware operation<a href="https://www.bleepingcomputer.com/news/security/hackers-use-new-3am-ransomware-to-save-failed-lockbit-attack/" target="_blank"> launched in late 2023</a> and was later linked to the <a href="https://www.bleepingcomputer.com/news/security/researchers-link-3am-ransomware-to-conti-royal-cybercrime-gangs/" target="_blank">Conti and Royal</a> ransomware gangs.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/3am-ransomware-uses-spoofed-it-calls-email-bombing-to-breach-networks/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 04:34 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.