A new and sophisticated cyber threat has been targeting unsuspecting users through fake Outlook troubleshooting calls. These deceptive calls pretend to be legitimate, ultimately leading to ransomware deployment on the victim’s system.
Understanding the Threat
The scam involves a malicious binary named CITFIX#37.exe, designed to mimic a legitimate tool from the Sysinternals Desktops utility. Cybersecurity experts at Deutsche Telekom CERT have identified this as a serious threat.
In these calls, attackers pose as representatives from Microsoft or other reputable tech companies. They claim there is an issue with the user’s Outlook account and offer “free” assistance to resolve it.
Once victims agree to remote access, attackers download and install CITFIX#37.exe, which uses fake digital certificates to appear legitimate. This deceives users into trusting the software, allowing the attackers to take full control.
How the Malware Works
According to experts, CITFIX#37.exe has a SHA256 hash of 247e6a648bb22d35095ba02ef4af8cfe0a4cdfa25271117414ff2e3a21021886. It appears to be authorized but is not authenticated by Microsoft. Instead, it uses malicious code signers such as Cascade Tech-Trek Inc., AM MISBAH Tech Inc., and KouisMoa MegaByte Information Technology Co., Ltd.
The attackers use these fake certificates to gain the users’ trust, installing the malware without suspicion. Once installed, the malware can deploy ransomware, encrypting files and demanding payment for their release.
Users are often unaware they are dealing with a scam until their files are locked, and an urgent ransom demand is received.
Protecting Yourself from Scams
Preventing such attacks requires vigilance and good cybersecurity practices. Here are steps you can take:
- Verify Caller Identity: Legitimate companies will not typically call out of the blue to resolve issues. Always ask for a case number or call ID and verify with the company directly.
- Be Cautious with Remote Access: Do not grant remote access to any caller unless you are absolutely certain of their authenticity and legitimacy.
- Keep Security Software Updated: Ensure your antivirus and antimalware tools are up to date to detect and block potential threats.
- Regularly Back Up Data: Regular backups mean that even if your files are encrypted, you can restore them without paying the ransom.
- Follow Best Practices: Educate yourself about common scams and follow cybersecurity best practices to minimize risks.
By being informed and cautious, individuals can significantly reduce their risk of falling victim to these sophisticated scams.
Indicators of Compromise (IoCs)
For those technically equipped, here are specific details to help identify and block this threat:
- File Name:
CITFIX#37.exe - SHA256 Hash:
247e6a648bb22d35095ba02ef4af8cfe0a4cdfa25271117414ff2e3a21021886 - Malicious Signers:
- Cascade Tech-Trek Inc.
- AM MISBAH Tech Inc.
- KouisMoa MegaByte Information Technology Co., Ltd.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Stay informed and proactive in your cybersecurity efforts to protect your digital assets from these threats and other malware.
Have you encountered such scams or need more guidance on protecting against them? Comment below and share your experiences or questions.
Don’t forget to subscribe to our newsletter for the latest cybersecurity updates and tips. Also, share this article on your social media platforms to help others stay safe online.
