A sophisticated phishing campaign has been targeting Microsoft Teams users, employing techniques resembling those used by Black Basta ransomware. ReliaQuest, a cybersecurity firm, reported the discovery, noting the attack involves a novel PowerShell backdoor and a unique persistence method.
The attackers posed as “Technical Support” in Microsoft Teams, using the Windows Quick Assist tool to infiltrate systems. They targeted executive-level women within sectors like finance, professional, and technical services, timing their attacks in the afternoon.
In a distinctive move, the attackers altered Windows Registry entries to hijack the Type Library path, ensuring the malware executes upon accessing related COM objects. This approach, unprecedented in real-world attacks, had been previously discussed in theoretical contexts only.
The PowerShell backdoor, concealed and loaded from a Google Drive link, employs “junk code” to evade detection. Stored in a system directory, it establishes a command-and-control beacon, sends a notification to the attacker’s Telegram bot, and awaits further instructions.
ReliaQuest traced this backdoor’s origins back several months, showing similarities to Boxter malware discovered in earlier campaigns. While attribution remains challenging, it could indicate the evolution of Storm-1811’s techniques or a splintering of the Black Basta group.
To mitigate such threats, ReliaQuest recommends disabling external communications on Microsoft Teams, blocking Telegram and Google Drive, restricting JScript, and configuring Windows Defender Application Control to its strictest level. Disabling Windows Script Host is also suggested after thorough testing. This campaign underlines the necessity for adapting defenses against evolving cyber threats, showcasing the attackers’ innovative methods to bypass security measures.
