Hackers exploited Microsoft Teams to trick a victim into allowing remote access to their PC. Trend Micro studied the attack, which demonstrates the increasing sophistication of cybercriminals’ social engineering efforts.
The attack began with a torrent of phishing emails aimed at the victim. Shortly after, the attacker began a Microsoft Teams call while acting as a trusted client employee.
On a call conversation, the attacker directed the victim to download a remote help application, originally recommending Microsoft Remote help. When installation from the Microsoft Store failed, the attacker switched to AnyDesk, a legal remote desktop tool frequently used by hackers.
AnyDesk, a remote desktop program and application, once installed, the attacker got control of the victim’s computer. They installed many strange files, one of which was recognized as a Trojan.AutoIt.DARKGATE.D.
This malware was deployed using an AutoIt script, which provided remote system control, executed malicious commands, and linked to a command-and-control (C2) server.
After getting access via AnyDesk, the attacker ran commands to gather full system and network configurations. Systeminfo, route print, and ipconfig /all were used to gather information on the system’s hardware, software, and network configuration. The obtained information was saved in a file called 123.txt, most likely for future reconnaissance.
The malware also used defensive evasion techniques. For example, AutoIt scripts were used to identify antivirus software on the machine and avoid detection. Malicious files were also downloaded and extracted into the infiltrated machine’s secret directories.
One especially nasty program, SystemCert.exe, generated additional scripts and executables in temporary directories. These files enabled further malicious activities, such as connecting to a C2 server and downloading further payloads.
Fortunately, the assault was detected before any data was exfiltrated. The root cause study indicated that no sensitive information was stolen, however persistent files and registry entries were created on the victim’s computer. However, this event highlights the vital necessity for strong security measures.
To protect and fight against such assaults, companies should apply the following best practices:
Verify The Third-Party Claims: Always authenticate the affiliations of third-party technical support providers before providing access.
Control remote access tools: To improve security, whitelist approved tools like AnyDesk and require multi-factor authentication (MFA).
Have Training Sessions with Employees: To lessen vulnerability to such assaults, educate staff on social engineering strategies like phishing and vishing (voice phishing).
This event is a striking reminder of how attackers use trust and legitimate platforms like Microsoft Teams to enter systems. Vigilance and proactive security measures are critical for preventing similar incidents in the future.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
