Cyber Security

Hackers Exploiting Microsoft’s Quick Assist Tool To Deliver Ransomware

Hackers often target remote assist tools because they create a direct channel to access desired systems with minimum effort. 

These tools have been built for remote control and access purposes, which makes them very appealing targets for attackers looking to hack networks or take over specific devices.

Microsoft observed the Storm-1811 group using Quick Assist for social engineering attacks that deploy Black Basta ransomware. 

Exploiting Quick Assist’s Remote Access

The attacks begin with vishing, exploiting Quick Assist’s remote access for initial compromise, and then delivering malware like:-

  • Qakbot
  • Cobalt Strike

Microsoft is improving Quick Assist warnings against tech support scams while detections block malicious activity. Blocking unused remote tools and user education on recognizing scams can reduce risk.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Threat actors involved in threat activities impersonate IT support to undertake vishing attacks and trick target persons into giving them Quick Assist remote access. 

They usually do this by pretending to fix a problem or offering spam help as a response to email flooding.

Code screen (Source – Microsoft)

While on the call, Microsoft said they got the victim to initiate Quick Assist, enter the given code, enable screen sharing, and grant control access, consequently fully compromising the device.

Screen sharing (Source – Microsoft)

Control is taken over through Quick Assist during which scripts are run to download malicious payloads that sometimes pretend to be spam filter updates in order to harvest credentials.

Some of the observed payloads included Qakbot and remote management tools such as ScreenConnect and Cobalt Strike, which finally led to the deployment of Black Basta ransomware by the Storm-1811 group using their access from Qakbot and Cobalt Strike.

After initial access, the attackers use ScreenConnect for persistence and lateral movement, NetSupport Manager for remote control, and OpenSSH tunneling. 

They perform domain enumeration and use PsExec to deploy Black Basta ransomware received from the Qakbot and Cobalt Strike access by Storm-1811. 

Black Basta is closed ransomware distributed by a few actors. Relying on initial access brokers while focusing on pre-ransomware stages reduces the threat impact.

Recommendations

Here below we have mentioned all the recommendations:-

  • Block and uninstall unused remote tools like Quick Assist, and use secure alternatives like Remote Help.
  • Educate users on identifying tech support scams and not providing unauthorized remote access.
  • Report suspected malicious remote sessions and tech support scams.
  • Train users on protecting info, spotting phishing, and reporting recon attempts.
  • Implement anti-phishing solutions like Defender for Office 365.
  • Enable cloud-delivered protection and tamper protection in antivirus.
  • Turn on network protection against malicious domains.
  • Use automated investigation and remediation in Defender for Endpoint.
  • Follow Microsoft’s ransomware hardening guidance.

IoCs

Domain Names:

  • upd7a[.]com
  • upd7[.]com
  • upd9[.]com
  • upd5[.]pro

SHA-256:

  • 71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8
  • 0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0
  • 1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30
  • 93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7
  • 1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb

ScreenConnect Relay:

  • instance-olqdnn-relay.screenconnect[.]com

NetSupport C2:

  • greekpool[.]com

Cobalt Strike Beacon C2:

  • zziveastnews[.]com
  • realsepnews[.]com

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

2 hours ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

2 hours ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

4 hours ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

6 hours ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

10 hours ago

SmokeLoader – A Modular Malware With Range Of Capabilities

Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion…

23 hours ago