Over 2,000 Devices Compromised Through Targeted Social Security Scam Themes

Cybercriminals have targeted thousands of individuals across the U.S. by exploiting one of the most trusted government agencies: the Social Security Administration (SSA).

Security analysts at CyberArmor have recently tracked a sophisticated malware campaign that impersonated official SSA correspondence, resulting in more than 2,000 victims inadvertently downloading and executing malicious software.

The attack’s technical sophistication and use of reputable brand hosting highlight the growing threat posed by well-crafted phishing campaigns.

Attack Strategy: Impersonation and Exploitation

The campaign began with a barrage of phishing emails designed to appear as authentic SSA communications. Recipients were prompted with urgent language to review their Social Security statements.

Embedded within these emails was a link directing users to a phishing page hosted on Amazon Web Services (AWS), a choice likely intended to instill trust by leveraging the widely recognized and trusted Amazon brand.

The malicious URL, “hxxps://odertaoa[.]s3.us-east-1.amazonaws.com/ssa/US/index.html,” appeared legitimate at a glance, further increasing the likelihood of successful compromise.

Upon clicking the “Access The Statement” button on the phishing page, users were redirected to a second page that provided instructions for downloading a file purportedly containing their statement.

The download, however, contained a malicious executable named US_SocialStatmet_ID544124.exe, equipped with the following digital fingerprints:

• MD5: bc219ea52e5d250b689bfb0203eb9e4e
• SHA1: 97997862c73cfe301af43c355ffa4b2d8b1e7d7f
• SHA256: 1c939551452b2137b2bd727f13fab80da192f174d0311d23fc3c1c531cefdc87

Malware Mechanics and Network Impact

Once executed, the malware functioned as a .NET loader, embedding and launching a secondary .NET application.

The loader specifically retrieved and ran components from a “FILES” folder, which are critical dependencies for installing ScreenConnect, a legitimate remote access tool often abused by attackers.

After dependencies were successfully loaded, the malware executed the “ENTRYPOINT” file, which acted as the backdoor to the compromised system.

Central to the malware’s operation was its configuration file, which contained a command-and-control (C2) endpoint: “secure.ratoscbom.com:8041.”

This allowed the perpetrators to establish covert remote access, potentially exfiltrating sensitive data or further compromising infected devices.

Scope and Recommendations
According to CyberArmor’s telemetry, over 2,000 individuals interacted with the phishing lure, with a significant portion successfully installing the malware.

The attack’s particular focus on trustworthy brand names and government agencies suggests a deliberate strategy to maximize infection rates.

Security experts strongly recommend:

• Verification: Always access official SSA documents through ssa.gov.
• Endpoint Protection: Employ real-time monitoring to detect and block unauthorized remote access tools.
• User Training: Regular awareness programs should educate users on how to identify phishing emails, particularly those that mimic government correspondence.
• Network Monitoring: ScreenConnect traffic to unfamiliar IPs should be treated as suspicious and promptly investigated.

By remaining vigilant and implementing robust security measures, organizations, particularly those in the finance and healthcare sectors, can better protect themselves against these increasingly sophisticated cyber threats.

CyberArmor continues to monitor the campaign and urges all users to remain cautious when interacting with unexpected official-looking communications.

Indicators

• SHA256: 1c939551452b2137b2bd727f13fab80da192f174d0311d23fc3c1c531cefdc87
• Domain: secure.ratoscbom.com:8041
• URL: https:// odertaoa[.]s3.us-east-1.amazonaws.com/ssa/US/index.html