Ransomware gangs are increasingly using email bombing followed by posing as tech support in Microsoft Teams calls to trick employees into allowing remote control and install malware that provides access to the company network. The threat actors send thousands of spam messages over a short period, then call the target from an adversary-controlled Office 365 instance pretending to provide IT support.
This tactic has been observed since late last year in attacks attributed to Black Basta ransomware but researchers at cybersecurity company Sophos have seen the same method being used by other threat actors connected to the FIN7 group. To reach employees, hackers exploit Microsoft Teams’ default configuration that permits calls and chats from external domains.
In a recent campaign linked to STAC5143, hackers emailed targets 3,000 messages in 45 minutes before calling them with an external Teams call claiming to be from the “Help Desk Manager.” The victim was convinced to set up a remote screen control session through Microsoft Teams. The attackers then dropped a Java archive and Python scripts hosted on an external SharePoint link.
The malware executed PowerShell commands to download a legitimate ProtonVPN executable that side-loaded a malicious DLL, creating an encrypted command-and-control channel with external IPs. This provided the attackers with remote access to the compromised computer. Researchers at Sophos believe that some of the malware is connected to the threat actors behind FIN7/Sangria Tempest.
Another campaign linked to STAC5777 also started with email bombing and Microsoft Teams messages claiming to be from IT support. However, the victim was tricked into installing Microsoft Quick Assist to give attackers hands-on keyboard access, which they used to download malware hosted on Azure Blob Storage. The malware logs keystrokes via Windows API and harvests stored credentials from files and the registry.
To protect against these tactics, organizations should consider blocking external domains from initiating messages and calls on Microsoft Teams, and disabling Quick Assist on critical environments.
Source: https://www.bleepingcomputer.com/news/security/ransomware-gangs-pose-as-it-support-in-microsoft-teams-phishing-attacks