Author: Max Gannon, Intelligence Team

An email campaign spoofing Binance claims to deliver an opportunity to claim recently created TRUMP coins. If victims follow the instructions and download “Binance Desktop” in order to get TRUMP coins they instead install ConnectWise RAT. The threat actors behind this campaign are eagerly monitoring infections and can connect to infected computers in under 2 minutes.

Figure 1: Email spoofing Binance to deliver ConnectWise RAT.

This campaign took several steps to impersonate Binance, such as using “Binance” as the sender’s name and including a “risk warning” in the email, which is more likely to make people trust that it is legitimate. The threat actors also took great pains to make the website hosting the ConnectWise RAT download appear legitimate, as can be seen in Figure 2. Although they did not directly copy the Binance TRUMP coin page or the Binance client download page, the threat actors combined images from both into a convincing page which included further install steps farther down.

Figure 2: Web page hosting ConnectWise RAT installer download.

The download link which purports to lead to a Binance desktop client instead downloads the installer for ConnectWise RAT. This sample of ConnectWise RAT connects to a C2 which is actively monitored by a threat actor. Shortly after checking in, the threat actor takes remote control of any infected computers. This is in contrast to most ConnectWise RAT installations where the threat actor will only decide to interact with an infected host after some time has passed. After a threat actor has connected, they will target saved passwords for applications such as Microsoft Edge, making up for ConnectWise RAT’s relative lack of information theft capabilities.

Table 1: IOCs for this campaign

*** This is a Security Bloggers Network syndicated blog from Cofense Website authored by Cofense Website. Read the original post at: https://cofense.com/feed/blog/trump-cryptocurrency-delivers-connectwise-rat