Hackers exploited Microsoft Teams to trick a victim into allowing remote access to their PC. Trend Micro studied the attack, which demonstrates the increasing sophistication of cybercriminals’ social engineering efforts.
The attack began with a torrent of phishing emails aimed at the victim. Shortly after, the attacker began a Microsoft Teams call while acting as a trusted client employee.
On a call conversation, the attacker directed the victim to download a remote help application, originally recommending Microsoft Remote help. When installation from the Microsoft Store failed, the attacker switched to AnyDesk, a legal remote desktop tool frequently used by hackers.
AnyDesk, a remote desktop program and application, once installed, the attacker got control of the victim’s computer. They installed many strange files, one of which was recognized as a Trojan.AutoIt.DARKGATE.D.
This malware was deployed using an AutoIt script, which provided remote system control, executed malicious commands, and linked to a command-and-control (C2) server.
After getting access via AnyDesk, the attacker ran commands to gather full system and network configurations. Systeminfo, route print, and ipconfig /all were used to gather information on the system’s hardware, software, and network configuration. The obtained information was saved in a file called 123.txt, most likely for future reconnaissance.
The malware also used defensive evasion techniques. For example, AutoIt scripts were used to identify antivirus software on the machine and avoid detection. Malicious files were also downloaded and extracted into the infiltrated machine’s secret directories.
One especially nasty program, SystemCert.exe, generated additional scripts and executables in temporary directories. These files enabled further malicious activities, such as connecting to a C2 server and downloading further payloads.
Fortunately, the assault was detected before any data was exfiltrated. The root cause study indicated that no sensitive information was stolen, however persistent files and registry entries were created on the victim’s computer. However, this event highlights the vital necessity for strong security measures.
To protect and fight against such assaults, companies should apply the following best practices:
Verify The Third-Party Claims: Always authenticate the affiliations of third-party technical support providers before providing access.
Control remote access tools: To improve security, whitelist approved tools like AnyDesk and require multi-factor authentication (MFA).
Have Training Sessions with Employees: To lessen vulnerability to such assaults, educate staff on social engineering strategies like phishing and vishing (voice phishing).
This event is a striking reminder of how attackers use trust and legitimate platforms like Microsoft Teams to enter systems. Vigilance and proactive security measures are critical for preventing similar incidents in the future.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
