HQ/EMEAFind out how we can help your business
A financially motivated cybercriminal group used the Windows Quick Assist tool in its social engineering attacks to deploy the Black Basta ransomware to its victims’ networks.
According to reports, Microsoft has been monitoring this campaign since last month. Their initial findings revealed that the threat organisation Storm-1811 started its campaigns by spamming emails to their targets that subscribed their addresses to various email subscription sites.
This tactic allowed them to execute their social engineering campaign by calling the affected individuals suffering from spam messages. The hackers pose as Microsoft technical support or the attacked company’s IT or help desk professionals to resolve the spam issues.
In this vishing campaign, the attackers fool the victims into giving them access to their Windows devices by opening the Quick Assist built-in remote control and screen-sharing utility. Subsequently, once the targeted user allows the attackers access and control, they can run a scripted URL command to download a series of batch files or ZIP files used to launch malicious payloads.
This campaign has also launched other malicious payloads besides the Black Basta ransomware.
Several cases allowed these threat actors to deploy the Black Basta ransomware. However, some of these cases have also led to downloading Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike.
Still, in this specific cybercriminal operation, Storm-1811 can enumerate domains, move laterally through the victim’s network, and use the Windows PsExec telnet-replacement program to deliver Black Basta ransomware.
A separate research group stated that malicious actors will employ a batch script to steal the victim’s credentials from the command line using PowerShell. Next, the credentials are gathered under the false context of the ‘update, ‘ requiring the user to log in.
Microsoft urges network admins to deactivate or remove Quick Assist and other remote monitoring and management tools if they are not in use to protect against these social engineering assaults.
On the other hand, individuals who these attacks have already targeted should only allow anyone to connect to their device after contacting their IT support professionals or Microsoft Support to avoid being deceived by cybercriminal groups.
