Date: 04/11/2025
Severity: Critical
Summary
In late January 2025, a Managed Service Provider (MSP) administrator received a convincing phishing email disguised as an authentication alert for their ScreenConnect Remote Monitoring and Management (RMM) tool. The phishing attempt successfully compromised the administrator’s credentials, allowing Qilin ransomware operators to gain access and launch attacks against the MSP’s clients.
Indicators of Compromise (IOC) List
Domains \ URLs : | https://b8dymnk3.r.us-east-1.awstrack.me/L0/https:%2F%2Fcloud.screenconnect.com.ms%2FsuKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410 https://cloud.screenconnect.com.ms/suKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410 cloud.screenconnect.com.ms |
IP Address : | 186.2.163.10 92.119.159.30 109.107.173.60 128.127.180.156 109.70.100.1 |
Hash : | fdf6b0560385a6445bd399eba03c8662be9e61928d6cbc268d550163a5a09285
0b9b0715a1ffb427a02e61ae8fd11c00b5d086eb76102d4b12634e57285c1aba
9da70c521b929725774c3980763a4aed9baf9de4e6f83fc8f668c3a365a55f82
b52917b0658cd2a9197e6bb62bade243ee1ad164f2bb566f3a1e09dfa580397f
ef3e42e5fa24acaee2428ff0118feb2be925bfe6b1ea4eccce8b70a7ac5ab2cc
45c8716c69f56e26c98369e626e0b47d7ea5e15d3fb3d97f0d5b6e8997299d1a
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains \ URLs : | domainname like "https://b8dymnk3.r.us-east-1.awstrack.me/L0/https:%2F%2Fcloud.screenconnect.com.ms%2FsuKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410" or url like "https://b8dymnk3.r.us-east-1.awstrack.me/L0/https:%2F%2Fcloud.screenconnect.com.ms%2FsuKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410" or siteurl like "https://b8dymnk3.r.us-east-1.awstrack.me/L0/https:%2F%2Fcloud.screenconnect.com.ms%2FsuKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410" or domainname like "https://cloud.screenconnect.com.ms/suKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410" or url like "https://cloud.screenconnect.com.ms/suKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410" or siteurl like "https://cloud.screenconnect.com.ms/suKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410" or domainname like "cloud.screenconnect.com.ms" or url like "cloud.screenconnect.com.ms" or siteurl like "cloud.screenconnect.com.ms" |
IP Address : | dstipaddress IN ("92.119.159.30","109.70.100.1","128.127.180.156","109.107.173.60","186.2.163.10") or srcipaddress IN ("92.119.159.30","109.70.100.1","128.127.180.156","109.107.173.60","186.2.163.10") |
Hash : | sha256hash IN ("fdf6b0560385a6445bd399eba03c8662be9e61928d6cbc268d550163a5a09285","0b9b0715a1ffb427a02e61ae8fd11c00b5d086eb76102d4b12634e57285c1aba","9da70c521b929725774c3980763a4aed9baf9de4e6f83fc8f668c3a365a55f82","b52917b0658cd2a9197e6bb62bade243ee1ad164f2bb566f3a1e09dfa580397f","ef3e42e5fa24acaee2428ff0118feb2be925bfe6b1ea4eccce8b70a7ac5ab2cc")
|
Reference:
https://news.sophos.com/en-us/2025/04/01/sophos-mdr-tracks-ongoing-campaign-by-qilin-affiliates-targeting-screenconnect/