Threat Actors Delivering Ransomware Via Microsoft Teams Using Voice Calls

   January 22, 2025  Posted in CyberSecurityNews


Sophos Managed Detection and Response (MDR) has uncovered two distinct ransomware campaigns exploiting Microsoft Teams to gain unauthorized access to targeted organizations.

The threat actors, tracked as STAC5143 and STAC5777, are leveraging a default Microsoft Teams configuration that allows external users to initiate chats or meetings with internal users.

The attack methodology involves several types and approaches for more sophistication.

While besides this, Sophos researchers noted that the threat actors employ a multi-step approach:-

  1. Email Bombing: Targets are overwhelmed with up to 3,000 spam emails in under an hour.
  2. Social Engineering: Posing as IT support, attackers initiate Microsoft Teams calls to victims.
  3. Remote Access: Threat actors guide victims to install Microsoft Quick Assist or use Teams’ built-in remote control feature.
  4. Malware Deployment: Once in control, attackers execute malicious payloads.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Campaigns

STAC5143 Campaign

  • Utilizes Java Archive (JAR) files and Python-based backdoors
  • Deploys obfuscated RPivot, a reverse SOCKS proxy tool
  • Uses a lambda function for code obfuscation, similar to FIN7 techniques
  • Connects to command and control (C2) servers over port 80
Python code from an obfuscated copy of RPivot in the winter.zip archive (Source – Sophos)

STAC5777 Campaign

  • Employs a malicious DLL (winhttp.dll) side-loaded by a legitimate Microsoft executable (OneDriveStandaloneUpdater.exe)
  • Establishes C2 connections using unsigned OpenSSL toolkit drivers
  • Registry modifications:
  reg add "HKLMSOFTWARETitanPlus" /v 1 /t REG_SZ /d "185.190.251.16:443;207.90.238.52:443;89.185.80.86:443" /f
  • Creates a service and .lnk file for persistence
  • Conducts SMB scanning for lateral movement
  • Attempts to uninstall security software and MFA solutions

The malware used in these campaigns can do the following things:-

  • Collect system and OS details
  • Gather user credentials
  • Log keystrokes using Windows API functions
  • Perform network discovery and lateral movement
  • Exfiltrate sensitive data
Threat actor’s incoming activity captured by Microsoft Office 365 integration (Source – Sophos)

In one instance, STAC5777 attempted to deploy Black Basta ransomware, which was blocked by Sophos endpoint protection.

As a mitigation strategies organizations should follow:-

  1. Restrict Teams calls from external organizations
  2. Limit the use of remote access applications like Quick Assist
  3. Implement application control settings to block unauthorized Quick Assist execution
  4. Utilize Microsoft Office 365 integration for security monitoring
  5. Enhance employee awareness about these social engineering tactics

Sophos has deployed detections for the malware used in these campaigns, including ATK/RPivot-B, Python/Kryptic.IV, and Troj/Loader-DV.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar



Source link