Microsoft_Teams

Ransomware gangs pose as IT support in Microsoft Teams phishing attacks

Teilen:

Ransomware gangs are increasingly adopting email bombing followed by posing as tech support in Microsoft Teams calls to trick employees into allowing remote control and install malware that provides access to the company network.

The threat actors are sending thousands of spam messages over a short period and then call the target from an adversary-controlled Office 365 instance pretending to provide IT support.

This tactic has been observed since late last year in attacks attributed to Black Basta ransomware but researchers at cybersecurity company Sophos have seen the same method being used by other threat actors that may be connected to the FIN7 group.

To reach to company employees, the hackers take advantage of the default Microsoft Teams configuration at the targeted organization that permits calls and chats from external domains.

Observed activity

The first campaign that Sophos investigated has been linked to a group the researchers track internally as STAC5143. The hackers started by emailing targets a massive number of messages, to a rate of 3,000 in 45 minutes.

Shortly after, the targeted employee received an external Teams call from an account named “Help Desk Manager.” The threat actor convinced the victim to set up a remote screen control session through Microsoft Teams.

The attacker dropped a Java archive (JAR) file (MailQueue-Handler.jar) and Python scripts (RPivot backdoor) hosted on an external SharePoint link.

The JAR file executed PowerShell commands to download a legitimate ProtonVPN executable that side-loaded a malicious DLL (nethost.dll).

The DLL creates an encrypted command-and-control (C2) communication channel with external IPs, providing the attackers remote access to the compromised computer.

The attacker also ran Windows Management Instrumentation (WMIC) and whoami.exe to check system details and deployed second-stage Java malware to execute RPivot – a penetration testing tool that allows SOCKS4 proxy tunneling  for sending commands.

Obfuscated RPivot code
Obfuscated RPivot code
Quelle: Sophos

RPivot has been used in the past in attacks by FIN7. Additionally, the obfuscation techniques used have also been previously observed in FIN7 campaigns.

However, since both RPivot and the code for the obfuscation method are publicly available, Sophos cannot connect with high confidence the STAC5143 attacks to FIN7 activity, especially since FIN7 is known to have sold in the past its tools to other cybercriminal gangs.

“Sophos assesses with medium confidence that the Python malware used in this attack is connected to the threat actors behind FIN7/Sangria Tempest,” explain the researchers.

Because the attack was stopped before reaching the final stage, the researchers believe that the hackers’ goal was to steal data and then deploy ransomware.

The second campaign was from a group tracked as ‘STAC5777’. These attacks also started with email bombing and were followed by Microsoft Teams messages, claiming to be from the IT support department.

In this case though, the victim is tricked into installing Microsoft Quick Assist to give the attackers hands-on keyboard access, which they used to download malware hosted on Azure Blob Storage.

The malware (winhttp.dll) is side-loaded into a legitimate Microsoft OneDriveStandaloneUpdater.exe process, and a PowerShell command creates a service that relaunches it at system startup.

The malicious DLL logs the victim’s keystrokes via the Windows API, harvests stored credentials from files and the registry, and scans the network for potential pivoting points via SMB, RDP, and WinRM.

Sophos observed STAC5777’s attempt to deploy Black Basta ransomware on the network, so the threat actor is likely related in some way to the infamous ransomware gang.

The researchers observed the threat actor accessing local Notepad and Word documents that had ‘password’ in the file name. The hackers also accessed two Remote Desktop Protocol files, likely looking for possible credential locations.

As these tactics become more prevalent in the ransomware space, organizations should consider blocking external domains from initiating messages and calls on Microsoft Teams, and disabling Quick Assist on critical environments.

Quelle

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
8:05 pm, Feb. 15, 2025
Wetter-Symbol 3°C
L: 2° | H: 4°
aufgelockerte Bewölkung
Luftfeuchtigkeit: 87 %
Druck: 1019 mb
Wind: 9 mph E
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 40%
Regen Chance: 0%
Sichtbarkeit: 9 km
Sonnenaufgang: 7:14 am
Sonnenuntergang: 5:15 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 9:00 pm
Wetter-Symbol
2° | 4°°C 1 mm 100% 7 mph 87 % 1019 mb 0 mm/h
Tomorrow 9:00 pm
Wetter-Symbol
2° | 4°°C 1 mm 100% 10 mph 89 % 1022 mb 0.24 mm/h
Mo. Feb. 17 9:00 pm
Wetter-Symbol
1° | 7°°C 0 mm 0% 7 mph 78 % 1022 mb 0 mm/h
Di. Feb. 18 9:00 pm
Wetter-Symbol
1° | 8°°C 0 mm 0% 8 mph 70 % 1022 mb 0 mm/h
Mi. Feb. 19 9:00 pm
Wetter-Symbol
4° | 10°°C 0 mm 0% 7 mph 94 % 1020 mb 0 mm/h
Today 9:00 pm
Wetter-Symbol
2° | 3°°C 1 mm 100% 7 mph 87 % 1019 mb 0 mm/h
Tomorrow 12:00 am
Wetter-Symbol
2° | 3°°C 1 mm 100% 7 mph 89 % 1019 mb 0.24 mm/h
Tomorrow 3:00 am
Wetter-Symbol
2° | 2°°C 0 mm 0% 6 mph 89 % 1019 mb 0 mm/h
Tomorrow 6:00 am
Wetter-Symbol
2° | 2°°C 0 mm 0% 6 mph 88 % 1020 mb 0 mm/h
Tomorrow 9:00 am
Wetter-Symbol
3° | 3°°C 0 mm 0% 8 mph 80 % 1020 mb 0 mm/h
Tomorrow 12:00 pm
Wetter-Symbol
4° | 4°°C 0 mm 0% 10 mph 69 % 1021 mb 0 mm/h
Tomorrow 3:00 pm
Wetter-Symbol
4° | 4°°C 0 mm 0% 9 mph 64 % 1021 mb 0 mm/h
Tomorrow 6:00 pm
Wetter-Symbol
3° | 3°°C 0 mm 0% 8 mph 69 % 1021 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€92,981.73
-0.35%
Ethereum(ETH)
€2,566.38
-1.56%
XRP(XRP)
€2.62
-1.60%
Fesseln(USDT)
€0.95
-0.02%
Solana(SOL)
€185.12
-3.62%
USDC(USDC)
€0.95
0.01%
Dogecoin(DOGE)
€0.258265
-1.93%
Shiba Inu(SHIB)
€0.000015
-2.90%
Pepe(PEPE)
€0.000010
-5.05%
Nach oben scrollen