Security researchers reported a phishing campaign impersonating LastPass and Bitwarden that sends fake breach alerts and urges recipients to download an allegedly more secure desktop client. The binary promoted by the emails installs the Syncro remote monitoring and management (RMM) agent and is used to deploy the ScreenConnect remote access tool.
LastPass has denied any breach and said the messages are a social engineering effort by a malicious actor, adding the campaign began over the Columbus Day holiday weekend in an apparent attempt to delay detection.
Analysis of the distributed binaries shows they install the Syncro MSP platform agent configured to hide its system tray icon and to deploy the ScreenConnect support tool as a “bring-your-own” installer. The extracted configuration reportedly checks in with the server every 90 seconds, does not enable Syncro’s built-in remote access or deploy Splashtop or TeamViewer, and disables Emsisoft, Webroot and Bitdefender agents.
Once ScreenConnect is installed, attackers can remotely connect to a device to deploy further malware, steal data or access saved credentials and password vaults, the article said. A separate recent campaign targeted 1Password users; researchers at Malwarebytes described a similar fake breach alert in which victims were redirected to a phishing page, a campaign first reported by Brett Christensen and others.
Security guidance in the article advises users to ignore unsolicited breach alerts, check official vendor websites and company blogs for verified notices, and never disclose master passwords.