​Wipro phishing attack was conducted using ScreenConnect and Powerkatz tools, indicates new intel

  • ScreenConnect is a remote access tool (RAT) used for remote meetings.
  • Powerkatz is a PowerShell version of Mimikatz.

New intelligence about the actors behind the attack on India’s largest IT outsourcing and consulting organization Wipro has emerged lately. It is found that the attack on Wipro was conducted using ScreenConnect and Powerkatz.

What does the new update say?

Researchers from threat-intelligence firm Flashpoint have disclosed that the group behind the Wipro attack has links to a phishing campaign dating back to 2017. The campaign focused on gathering credentials to gain access to corporate sites for administering gift cards and reward programs.

The experts further note that the group has been active since 2015 and usually re-uses infrastructure from its older attacks. It is believed that the ultimate goal of the group behind the Wipro attack was to conduct gift-card fraud.

What tools were used against Wipro?

According to Flashpoint researchers, the attackers used two pen-testing tools - ScreenConnect and Powerkatz - to launch the attack against Wipro. While ScreenConnect is a remote access tool (RAT) used for remote meetings, Powerkatz is a post-exploitation tool used to search memory for credentials, tokens, and other artifacts related to authentication.

Powerkatz is a PowerShell version of Mimikatz.

Flashpoint analyzed malicious domains, IP addresses, hashes and filenames related to the attack and found IoCs that links the group with at least 48 other targets between 2015 and 2019. The company’s research highlights that at least half a dozen domains connected to the Wipro attack were linked to past campaigns.

These malicious domains were used to steal victims’ Windows usernames and passwords.

“Of the malicious domains and IP addresses, hashes, and file names, Flashpoint analysts were able to determine that a half-dozen were phishing domains hosting templates consistent with credential phishing attempts. The templates sought victims’ Windows usernames and passwords in order to allegedly access encrypted email,” researchers noted.

Imminent Monitor RAT also used

Flashpoint analysts also found evidence of attempts to spread a malware called Imminent Monitor, a remote administration tool. The malware links the attack to other attack campaigns that used PowerShell scripts. It is a common tactic used by the group to compromise systems.