In one campaign, messages were sent claiming to be a business’s completed Schedule C tax form. The provided URL downloads an MSI file that, if executed, installs the PDQ Connect Remote Monitoring and Management software.
A second observed campaign appears as a new voicemail notification. Similar to the previous campaign, the provided URL downloads an MSI file that installs PDQ Connect Agent. During installation, threat actors establish persistence by configuring the software to autorun at Windows startup.
Recommendations
- Facilitate user awareness training to include these types of phishing-based techniques.
- Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
- Confirm requests from senders via contact information obtained from verified and official sources.
- Keep systems up to date and apply patches after appropriate testing.
- Review the Don't Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
- Report phishing and other malicious cyber activity to the NJCCIC and the FBI's IC3.
