Remote Control Phishing by Telephone

An increasingly prevalent trend being used by fraud actors operating from Indian Call Centers is to send emails claiming that a charge is about to be debited from your account and that to stop the charge, a telephone number should be called.  We’ve seen these recently imitating Amazon, Paypal, and Geek Squad. 

Today at 2:09 PM I received an email from matthewpgreenoughe295@gmail.com with the subject line “Thank you for your Order” and the following graphic as an attached file named “ORDER BILL PROCESS #4354566UG.jpg.” 

What choice did I have?  I called the 888 number!

A very bored sounding Indian woman took my call and assured me she was Geek Squad Renewal Team and would be happy to process my refund.

She instructed me to “open my Google” and type in the address “qhelp.cc” 

I was assigned the code “20399” 

I must confess that since I was operating from a Virtual Machine, I was a bit surprised to see that the execution parameters for launching ScreenConnect included my name!

This puzzled me at first, especially since I was calling from a burner phone, but then I recalled that I was asked what my “Invoice Number” was.  When I said I didn’t have one, they asked instead for my “Customer Number” – could it be that the number on the spam email was actually sent to me by name and that they recorded this?  That would be surprising!  But next time I’ll give them a bogus number and see what happens instead! 

(Somewhere there was some third-party data entry going on.  Fairly sure that I know how to spell my own name.)

After confirming that ScreenConnect.ClientService.exe (published by ConnectWise, LLC) should be allowed to make changes to my hard drive, ScreenConnect began downloading 2.85MB of data from “medino.life” 

I believe this “Publisher cannot be verified” was related to the second file that was launched after the download from Medino.life.  

While that was happening, I browsed over to “C:\users\IEUser\AppData\Local\Apps\2.0” to see what was being downloaded there. 

The first directory showed me a “ScreenConnect.ClientService.exe” which was a binary match for what I initially downloaded, and which is a “verified” binary from ConnectWise.

After the Medino.life update, ProcessHacker showed me that I was also running a program called “ScreenConnect.WindowsClient.exe” as well as new service that was launched from “ScreenConnect.Windows.dll”. 

I’m not quite sure what happened after that, as apparently the remote control session started up and my screen was blanked by the following, which didn’t seem to want to let me have control again. 

Qhelp.cc has resolved to several IP addresses recently, including: 

107.175.212.11

An older record indicates that “phelp.online” was also located on that IP address back on 19AUG2022. 

That’s yet another group of domain names that probably need to be deleted by someone. 

Medino.life is hiding behind a Cloudflare proxy, using Nameservers Jerry.ns.cloudflare.com and Vida.ns.cloudflare.com. 

I did run a few of the .exe and .dll files through VirusTotal.  As anticipated, none of them gave indications of being malicious.  This is an example of a perfectly acceptable support tool being used in a completely unacceptable way. 

https://www.virustotal.com/gui/file/bad512370d834969316c6c7f8f2daac776155ce99a3652958e0ca7ccd70b556d

https://www.virustotal.com/gui/file/dba25d80c0d0a28a98b811502c3b24eab1b2095fe6ae52c1bd15481f9d5aeaa0

https://www.virustotal.com/gui/file/19fe3f4314d47013e469ef151b7e383d8d6c596fdfea9bf1565faca1fa13a3df