Ransomware groups impersonate tech support in Microsoft Teams phishing attack

Đinh Văn MạnhĐinh Văn Mạnh
3 min read

Cybercrime groups specializing in ransomware are increasingly employing more sophisticated tactics to infiltrate organizational systems. They are utilizing a combination of mass spam email campaigns and impersonating tech support staff via the Microsoft Teams app to deceive victims into granting remote access and installing malware.

This tactic has been observed since late last year in attacks associated with the Black Basta ransomware. Recently, security researchers at Sophos have also identified that other criminal groups, potentially linked to the FIN7 group, are using similar methods.

How Criminal Groups Operate

To reach employees of targeted companies, attackers exploit the default configuration of Microsoft Teams at the targeted organization, which allows calls and chats from external domains. The attack process usually unfolds in three main stages:

  1. Email Bombing: Sending thousands of spam emails in a short time to create confusion and distract the victim.

  2. Impersonating IT Support: Using Microsoft Teams to contact the victim, pretending to be IT support staff.

  3. Installing Malware: Tricking the victim into granting remote access and installing malicious tools.

Details of Specific Campaigns

Campaign STAC5143

  • Begins by sending about 3,000 spam emails within 45 minutes.

  • Then, the victim receives an external call via Microsoft Teams from an account named "Support Department Manager."

  • The victim is convinced to set up a remote screen control session through Microsoft Teams.

  • The attacker drops a Java archive file (MailQueue-Handler.jar) and Python scripts (RPivot backdoor) stored on an external SharePoint link.

  • The malware creates an encrypted command and control (C2) communication channel with external IP addresses, giving the attacker remote access to the compromised computer.

Campaign STAC5777

  • Also begins with sending spam emails followed by Microsoft Teams messages, claiming to be from the tech support department.

  • The victim is tricked into installing Microsoft Quick Assist to give the attacker direct keyboard access.

  • Malware (winhttp.dll) is loaded alongside the legitimate Microsoft OneDriveStandaloneUpdater.exe process.

  • This malware records the victim's keystrokes, collects stored login information from files and the registry, and scans the network for potential pivot points.

Sophos has observed some signs that there may be a connection between campaign STAC5143 and the notorious FIN7 group. Specifically:

  • The use of RPivot has been seen in previous FIN7 attacks.

  • Code obfuscation techniques have been used before in FIN7 campaigns.

Conclusion and Recommendations

As these tactics become more common in the ransomware space, organizations should consider:

  1. Disabling Quick Assist in critical environments.

  2. Raising cybersecurity awareness among employees about phishing attacks via Microsoft Teams.

  3. Implementing strong protective measures like Endpoint Detection and Response (EDR) solutions to identify malicious activity.

  4. Monitoring network traffic to detect unusual patterns that may indicate ransomware activity.

Reference

  1. [New Threat] Attackers Are Now Using MS Teams to Phish Your Users

  2. Ransomware gangs pose as IT support in Microsoft Teams phishing attacks

  3. Microsoft Digital Defense Report 2024

0
Subscribe to my newsletter

Read articles from Đinh Văn Mạnh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

threat intelligencemicrosoft-teamsransomwareattack

Written by

Đinh Văn Mạnh
Đinh Văn Mạnh