The NJCCIC observed multiple campaigns in which threat actors attempted to trick users into downloading the PDQ Connect Agent. PDQ Connect is a platform that allows agent-based device management for both remote and local devices. Once installed, threat actors can utilize the platform as a remote access trojan (RAT), granting them full administrative control over the device. RATs can potentially lead to credential theft, data exfiltration, and ransomware.

In one campaign, messages were sent claiming to be a business’s completed Schedule C tax form. The provided URL downloads an MSI file that, if executed, installs the PDQ Connect Remote Monitoring and Management software.

A second observed campaign appears as a new voicemail notification. Similar to the previous campaign, the provided URL downloads an MSI file that installs PDQ Connect Agent. During installation, threat actors establish persistence by configuring the software to autorun at Windows startup.

Recommendations

• Facilitate user awareness training to include these types of phishing-based techniques.
• Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
• Confirm requests from senders via contact information obtained from verified and official sources.
• Keep systems up to date and apply patches after appropriate testing.
• Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
• Report phishing and other malicious cyber activity to the NJCCIC and the FBI’s IC3.