Hackers leveraged Microsoft Teams to manipulate a victim into granting remote access to their system. The attack, analyzed by Trend Micro, highlights the growing sophistication of social engineering tactics used by cybercriminals.
The attack began with a flood of phishing emails targeting the victim. Shortly after, the attacker initiated a Microsoft Teams call, posing as an employee of a trusted client.
During the call, the attacker instructed the victim to download a remote support application, initially proposing Microsoft Remote Support. When installation from the Microsoft Store failed, the attacker pivoted to AnyDesk, a legitimate remote desktop tool often exploited by cybercriminals.
Once AnyDesk was installed, the attacker gained control over the victim’s machine. They deployed multiple suspicious files, including one identified as Trojan.AutoIt.DARKGATE.D.
This malware was distributed via an AutoIt script, which allowed remote control of the system, executed malicious commands, and connected to a command-and-control (C2) server.
Execution and Malicious Activity
After gaining access through AnyDesk, the attacker executed commands to gather detailed system information and network configurations. Commands such as systeminfo, route print, and ipconfig /all were run to collect data about the system’s hardware, software, and network setup. The gathered information was saved in a file named 123.txt, likely for further reconnaissance.
The malware also employed defense evasion techniques. For instance, AutoIt scripts were used to identify antivirus software on the system and evade detection. Additionally, malicious files were downloaded and extracted into hidden directories on the compromised machine.
One particularly malicious file, SystemCert.exe, created additional scripts and executables in temporary folders. These files facilitated further malicious activity, including connecting to a C2 server and downloading additional payloads.
Fortunately, this attack was intercepted before any data exfiltration occurred. The root cause analysis revealed that no sensitive information was stolen while persistent files and registry entries were created on the victim’s machine. However, this incident underscores the critical need for robust security measures.
To counter such attacks, organizations should implement the following best practices:
- Verify Third-Party Claims: Always confirm affiliations of third-party technical support providers before granting access.
- Control Remote Access Tools: Whitelist approved tools like AnyDesk and enforce multi-factor authentication (MFA) for added security.
- Employee Training: Educate employees about social engineering tactics such as phishing and vishing (voice phishing) to reduce susceptibility to such attacks.
This incident serves as a stark reminder of how attackers exploit trust and legitimate platforms like Microsoft Teams to infiltrate systems. Vigilance and proactive security measures are essential to thwarting similar threats in the future.