Threat Actors Delivering Ransomware Via Microsoft Teams Using Voice Calls
Threat Actors Delivering Ransomware
Via Microsoft Teams Using Voice Calls
Threat Actors Delivering Ransomware Via Microsoft Teams Using Voice Calls
Threat actors delivering ransomware via Microsoft Teams using voice calls have been uncovered in two distinct campaigns by Sophos Managed Detection and Response (MDR). These campaigns, tracked as STAC5143 and STAC5777, exploit default Microsoft Teams settings, allowing external users to initiate chats with internal users. The attackers use a sophisticated multi-step approach, including email bombing and social engineering, to gain unauthorized access.
Understanding the Ransomware Delivery Method
Threat actors start by overwhelming targets with up to 3,000 spam emails in an hour, a tactic known as email bombing. They then employ social engineering, posing as IT support to initiate Microsoft Teams calls. Once engaged, they guide victims to install Microsoft Quick Assist or use Teams’ built-in remote control feature, leading to malware deployment.
STAC5143 Campaign Tactics
The STAC5143 campaign is notable for its use of Java Archive (JAR) files and Python-based backdoors. These tools help establish a foothold in target systems. The campaign also employs RPivot, a reverse SOCKS proxy tool, to maintain stealthy access. To further evade detection, it uses lambda functions for code obfuscation, reminiscent of FIN7 group techniques.
STAC5777 Campaign Techniques
The STAC5777 campaign combines legitimate software with malicious components. It utilizes a malicious DLL, winhttp.dll, side-loaded by Microsoft OneDriveStandaloneUpdater.exe. This campaign establishes command and control connections using unsigned OpenSSL toolkit drivers. It also modifies Windows registry settings to maintain persistence and conducts SMB scanning for lateral movement.
Protection Strategies Against Ransomware
Organizations can mitigate risks by restricting Teams calls from external entities and limiting remote access tools like Quick Assist. Implementing application control settings can prevent unauthorized Quick Assist execution. Additionally, leveraging Microsoft Office 365 integration enhances security monitoring. Sophos has deployed detections for these campaigns’ malware, including ATK/RPivot-B and Python/Kryptic.IV.
In one instance, the STAC5777 campaign attempted to deploy Black Basta ransomware, but Sophos endpoint protection successfully blocked it. Continuous vigilance and updated security measures are critical in defending against such sophisticated cyber threats.
You could also head over to fvtal.com/start and avoid ever having this happen to you, or your business.
Related Posts
North Korea’s Hidden Remote Job Infiltration
North Korea’s Hidden Remote Job Infiltration The Day the FBI Came Knocking Imagine answering your…
Nuclear Access Through a Microsoft Hole
Nuclear Access Through a Microsoft Hole The agency that manages America’s nuclear weapons got breached…
Infostealer Malware Dump Exposes Billions of Logins
Infostealer Malware Dump Exposes Billions of Logins A massive data leak has just surfaced online,…
Massive Data Leak Exposes 184 Million Passwords from Major Platforms and Government Accounts
Massive Data Leak Exposes 184 Million Passwords from Major Platforms and Government Accounts A massive…
Texas-Based eWorldTrade and Pakistani Partner Abtach Exposed: Massive Scam Network Used Online Ads to Defraud U.S. Consumers
Pakistani Firm Shipped Fentanyl Analogs to US Using Scam Online Ads A Texas firm recently…
AI Voice Cloning Scams: The Threat You Can’t Ignore
AI Voice Cloning Scams: The Threat You Can’t Ignore Voice cloning scams are becoming a…