Qilin Affiliates Spear-Phish MSP ScreenConnect Admin, Targeting Customers Downstream
Summary:
In late January 2025, a Managed Service Provider (MSP) administrator fell victim to a sophisticated phishing attack targeting their ScreenConnect Remote Monitoring and Management (RMM) tool. The attack, attributed with high confidence by Sophos to the ransomware affiliate tracked as STAC4365, began with a well-crafted phishing email purporting to be a ScreenConnect authentication alert. This led to the compromise of the administrator's credentials using a fake ScreenConnect domain as a proxy, similar to other cases tied to STAC4365, but in this specific case hosted at cloud.screenconnect[.]com[.]ms. Sophos believes the fake ScreenConnect site masquerading as the real ScreenConnect login page proxied the inputs back to the legitimate ScreenConnect site to verify the credentials and steal the time-based one-time password (TOTP) sent from ScreenConnect to the administrator by email.
The attackers employed the evilginx framework to intercept credentials and bypass multi-factor authentication (MFA) by proxying inputs to the legitimate ScreenConnect site and capturing the time-based one-time password (TOTP). The newest version of Evilginx2 offers a "javascriptRedirect" capability that allows attackers to selectively direct website visitors. Threat actors like STAC4365 utilize this feature in conjunction with awstrack[.]me to ensure that only intended targets who click on a specific tracking link are sent to the page designed to steal their credentials. Unintended targets, such as cybersecurity researchers who might visit the phishing site directly, are instead sent to the real service, helping the attackers avoid being discovered and analyzed. After successfully intercepting MFA inputs, the attackers were authenticated for super administrator access to the ScreenConnect Cloud portal, enabling them to deploy Qilin ransomware across the MSP's customer base using an attacker-managed ScreenConnect instance and potentially perform other post-exploitation activities. Qilin, a Ransomware-as-a-Service program, utilizes a Tor-based data-leak site and, since May 2024, an open internet site named "WikiLeaksV2" to pressure victims during extortion.
Security Officer Comments:
Sophos was able to attribute this attack to STAC4365 due to numerous factors, including using similar infrastructure, domain naming patterns, techniques, tools, and practices of STAC4365 activity from 2022. The attackers' meticulous preparation, leveraging a well-crafted email and a convincing fake login page, highlights the need for comprehensive security awareness training for administrators with privileged access, as this access makes them a potentially lucrative spearphishing target. The successful bypass of MFA through the use of the evilginx framework demonstrates the evolving phishing tactics of threat actors and the limitations of relying solely on traditional MFA methods when attacks using techniques like AiTM are being increasingly deployed. The attribution to the established ransomware affiliate STAC4365, using its history of similar TTPs, emphasizes the importance of interpreting threat intelligence to anticipate future threats. Additionally, the involvement of Qilin ransomware, an infamous Ransomware-as-a-Service program with a growing affiliate network that may include state-sponsored actors, illustrates the collaborative and increasingly dangerous ransomware landscape. The continued operation of Qilin's data-leak sites, both on Tor and the open internet, serves as a helpful reminder of the potential consequences of a successful ransomware attack, including significant reputational damage and financial losses for both the MSP and its affected customers. This event should serve as a critical alert for all organizations, particularly MSPs, to review and strengthen their security posture against emerging phishing techniques and continue to analyze the behavior of ransomware actors and how they achieve initial access.
Suggested Corrections:
IOCs are available on Sophos Labs’ GitHub page.
Sophos’ Recommendations for Defenders:
https://news.sophos.com/en-us/2025/04/01/sophos-mdr-tracks-ongoing-campaign-by-qilin-affiliates-targeting-screenconnect/
In late January 2025, a Managed Service Provider (MSP) administrator fell victim to a sophisticated phishing attack targeting their ScreenConnect Remote Monitoring and Management (RMM) tool. The attack, attributed with high confidence by Sophos to the ransomware affiliate tracked as STAC4365, began with a well-crafted phishing email purporting to be a ScreenConnect authentication alert. This led to the compromise of the administrator's credentials using a fake ScreenConnect domain as a proxy, similar to other cases tied to STAC4365, but in this specific case hosted at cloud.screenconnect[.]com[.]ms. Sophos believes the fake ScreenConnect site masquerading as the real ScreenConnect login page proxied the inputs back to the legitimate ScreenConnect site to verify the credentials and steal the time-based one-time password (TOTP) sent from ScreenConnect to the administrator by email.
The attackers employed the evilginx framework to intercept credentials and bypass multi-factor authentication (MFA) by proxying inputs to the legitimate ScreenConnect site and capturing the time-based one-time password (TOTP). The newest version of Evilginx2 offers a "javascriptRedirect" capability that allows attackers to selectively direct website visitors. Threat actors like STAC4365 utilize this feature in conjunction with awstrack[.]me to ensure that only intended targets who click on a specific tracking link are sent to the page designed to steal their credentials. Unintended targets, such as cybersecurity researchers who might visit the phishing site directly, are instead sent to the real service, helping the attackers avoid being discovered and analyzed. After successfully intercepting MFA inputs, the attackers were authenticated for super administrator access to the ScreenConnect Cloud portal, enabling them to deploy Qilin ransomware across the MSP's customer base using an attacker-managed ScreenConnect instance and potentially perform other post-exploitation activities. Qilin, a Ransomware-as-a-Service program, utilizes a Tor-based data-leak site and, since May 2024, an open internet site named "WikiLeaksV2" to pressure victims during extortion.
Security Officer Comments:
Sophos was able to attribute this attack to STAC4365 due to numerous factors, including using similar infrastructure, domain naming patterns, techniques, tools, and practices of STAC4365 activity from 2022. The attackers' meticulous preparation, leveraging a well-crafted email and a convincing fake login page, highlights the need for comprehensive security awareness training for administrators with privileged access, as this access makes them a potentially lucrative spearphishing target. The successful bypass of MFA through the use of the evilginx framework demonstrates the evolving phishing tactics of threat actors and the limitations of relying solely on traditional MFA methods when attacks using techniques like AiTM are being increasingly deployed. The attribution to the established ransomware affiliate STAC4365, using its history of similar TTPs, emphasizes the importance of interpreting threat intelligence to anticipate future threats. Additionally, the involvement of Qilin ransomware, an infamous Ransomware-as-a-Service program with a growing affiliate network that may include state-sponsored actors, illustrates the collaborative and increasingly dangerous ransomware landscape. The continued operation of Qilin's data-leak sites, both on Tor and the open internet, serves as a helpful reminder of the potential consequences of a successful ransomware attack, including significant reputational damage and financial losses for both the MSP and its affected customers. This event should serve as a critical alert for all organizations, particularly MSPs, to review and strengthen their security posture against emerging phishing techniques and continue to analyze the behavior of ransomware actors and how they achieve initial access.
Suggested Corrections:
IOCs are available on Sophos Labs’ GitHub page.
Sophos’ Recommendations for Defenders:
- MSPs rely extensively on external software and services to fulfill their operational tasks for customer organizations. Ransomware operators target these services for the same reason—they have become an increasingly common vector for downstream attacks on MSP customers. So it is important for MSPs and organizations of all sizes that utilize these services to understand the risk factors associated with them and take steps to mitigate them.
- Attackers with valid administrative credentials and access are difficult to stop, particularly when it comes to the exfiltration of data. But there are measures organizations can take to prevent the initial compromise of key credentials and to impede the execution of ransomware.
- Initial access in this case was gained through targeted phishing and interception of an MFA TOTP. The attackers used a lookalike domain and a well-crafted email to get the target to click on the link. Defenders should incorporate assessments into organizational phishing training to help users spot lookalike and other suspicious domains. Additionally, ensure your email solution either flags or blocks incoming messages that fail to pass a Domain-based Message Authentication, Reporting and Conformance (DMARC) check.
- The phishing attack in this case used an AITM phishing kit to relay credentials and a TOTP to obtain a valid session. When possible, organizations should limit access to corporate applications and third-party services to known managed devices through conditional access and migrate to phishing-resistant authentication services (such as those based on FIDO 2).
- In this attack, the actor configured systems to reboot in safe mode to bypass endpoint security protections. Organizations should deploy protection against safe boot restarts without endpoint protection. Sophos customers can do this by enabling active attack enhancements in Sophos Central through Endpoint and Server Threat Protection policies.
https://news.sophos.com/en-us/2025/04/01/sophos-mdr-tracks-ongoing-campaign-by-qilin-affiliates-targeting-screenconnect/