A sophisticated cyber threat has emerged, targeting unsuspecting users with fake Outlook troubleshooting calls that ultimately lead to the deployment of ransomware on the victim’s system.
Overview
Cybersecurity researchers at Deutsche Telekom CERT have identified a scam where attackers impersonate Microsoft or other reputable tech companies, claiming there is an issue with the user’s Outlook account and offering to troubleshoot the problem. Once the user grants access to their computer, the attackers download and install a malicious binary named CITFIX#37.exe, which is masquerading as a legitimate tool derived from the Sysinternals Desktops utility.
Malware Details
The CITFIX#37.exe malware has a SHA256 hash of 247e6a648bb22d35095ba02ef4af8cfe0a4cdfa25271117414ff2e3a21021886. Despite being signed, it is not authenticated by Microsoft. Instead, it uses malicious code signers such as Cascade Tech-Trek Inc., AM MISBAH Tech Inc., and KouisMoa MegaByte Information Technology Co., Ltd.
Once installed, the malware can lead to ransomware deployment, encrypting the user’s files and demanding payment in exchange for the decryption key.
Protection Measures
To protect yourself from fake Outlook troubleshooting scams:
- Verify the caller’s identity: Legitimate companies like Microsoft will not contact you unexpectedly for issue resolution.
- Be cautious about granting remote access: Only allow remote access to your computer if you are absolutely certain of the caller’s authenticity.
- Keep your antivirus software up to date: This ensures better protection against emerging threats.
- Regularly back up your data: This can help prevent loss in case of an attack.
Mourad Maacha 
Leave a comment