Cybercriminals Employ Social Engineering Tactics to Secure Remote Access in 300 Seconds.

Threat actors successfully compromised corporate systems within just five minutes by employing a combination of social engineering tactics and rapid PowerShell execution. Investigated by NCC Group’s Digital Forensics and Incident Response (DFIR) team, this incident highlights how cybercriminals are weaponising trusted business applications to circumvent traditional security measures. The attackers impersonated IT support personnel to gain QuickAssist remote access, successfully convincing two victims to grant them entry. Within 300 seconds of access, they executed a series of PowerShell commands that downloaded offensive tools and established multiple persistence mechanisms. The attack began with clipboard manipulation and utilised sophisticated steganographic techniques to embed malicious code within a JPEG file, ultimately deploying the NetSupport Manager Remote Access Trojan disguised as “NetHealth” software.

The attackers showcased advanced tradecraft by implementing various persistence mechanisms, including scheduled tasks that executed every five minutes and registry persistence. They leveraged legitimate binaries for DLL side-loading attacks, deploying a trojanised libcurl.dll component. A particularly concerning aspect of the attack was the deployment of a credential harvesting graphical user interface that mimicked legitimate system prompts. This PowerShell-based interface created a full-screen overlay, capturing plaintext credentials while disabling critical Windows functions to prevent user escape. Command and Control communication was established with multiple domains, enabling remote management capabilities and further demonstrating the need for improved user training to combat such sophisticated threats.