Hackers Exploit Microsoft Teams and Quick Assist to Install Malware
Hackers are targeting financial and healthcare organizations using Microsoft Teams phishing and Quick Assist remote access to deploy malware, allowing cybercriminals to steal data and control infected systems through hidden DNS communication.
Tech Author
Cybersecurity researchers have found a new hacking campaign in which attackers use Microsoft Teams and Quick Assist to get remote access to corporate PCs. This primarily targets employees at financial institutions and healthcare organizations. When attackers get access, they install a new sort of malware called AoBackdoor.
As reported by researchers at cybersecurity company BlueVoyant, the attackers start their operation with a social engineering approach. First, they fill an employee's mailbox with spam emails. Following that, the hacker contacts the employee via Microsoft Teams, claiming to be a member of the company's IT support team. The attacker then offers assistance in resolving the spam issue.
During the conversation, the hacker requests that the employee create a Quick Assist remote session. Quick Assist is an authorized Windows program that provides remote technical support. However, in this scenario, attackers exploit it to get access to the victim's computer. Once connected, the hacker installs malicious software via digitally signed MSI installer files. These files are saved in a personal Microsoft cloud storage account and are designed to seem like genuine Microsoft Teams components or Windows services. This allows the malware to avoid suspicion.
The attackers then utilize a method known as DLL sideloading. This method involves loading a malicious file using legitimate Microsoft programs. This file includes hidden encrypted data that later executes malicious code on the machine.
Following execution, the malware decrypts its core programs and installs the AoBackdoor. The malware then gathers crucial device information, such as the machine name, username, and system configuration. This enables attackers to detect and monitor the compromised system. To communicate with their servers, the malware conceals its activities behind DNS traffic. It sends customized DNS requests that appear normal but actually contain encoded data. This strategy allows attackers to circumvent detection by most typical security tools.
According to researchers, the attack strategy is comparable to the strategies used by the BlackBasta ransomware group, but it also includes new methods such as signed MSI installers and DNS-based command communication.
Security experts advise organizations to train employees about phishing and social engineering attacks and to monitor unusual remote access activity. This can help prevent attackers from exploiting trusted tools like Microsoft Teams and Quick Assist.
This article is based on information from Bleeping Computer
