Author: Max Gannon, Intelligence Team
An email campaign spoofing Binance claims to deliver an opportunity to claim recently created TRUMP coins. If victims follow the instructions and download “Binance Desktop” in order to get TRUMP coins they instead install ConnectWise RAT. The threat actors behind this campaign are eagerly monitoring infections and can connect to infected computers in under 2 minutes.
Figure 1: Email spoofing Binance to deliver ConnectWise RAT.
This campaign took several steps to impersonate Binance, such as using “Binance” as the sender’s name and including a “risk warning” in the email, which is more likely to make people trust that it is legitimate. The threat actors also took great pains to make the website hosting the ConnectWise RAT download appear legitimate, as can be seen in Figure 2. Although they did not directly copy the Binance TRUMP coin page or the Binance client download page, the threat actors combined images from both into a convincing page which included further install steps farther down.
.png "Trump-Cryptocurrency-Delivers-ConnectWise-RAT_Figure2-(1).png")
Figure 2: Web page hosting ConnectWise RAT installer download.
The download link which purports to lead to a Binance desktop client instead downloads the installer for ConnectWise RAT. This sample of ConnectWise RAT connects to a C2 which is actively monitored by a threat actor. Shortly after checking in, the threat actor takes remote control of any infected computers. This is in contrast to most ConnectWise RAT installations where the threat actor will only decide to interact with an infected host after some time has passed. After a threat actor has connected, they will target saved passwords for applications such as Microsoft Edge, making up for ConnectWise RAT’s relative lack of information theft capabilities.
Table 1: IOCs for this campaign
IOC | Purpose |
hxxps[://]ctrk[.]klclick2[.]com/l/01JNRGM3JYQC3X8C47X9EN8SER | URL embedded in email |
hxxps[://]binance-web3[.]com[.]ru/downIoad[.]html | Website hosting download link |
hxxps[://]binance-web3[.]com[.]ru/BinanceSetup[.]exe | URL used to download ConnectWise RAT |
shopifycourses[.]store:8041 | ConnectWise RAT C2 |
Following the identification of this phishing scheme by the Cofense Intelligence team, it was added as a PhishMe Security Awareness Training simulation. Organizations using PhishMe SAT can now equip their employees to spot threats like the Trump Bitcoin cryptocurrency scam, even if such attacks manage to bypass perimeter defenses.
To learn more about how Cofense utilizes phishing scams that have been identified by our Intelligence team to train your employees on real and relevant threats, schedule a demo with a member of our team.