Ransomware gangs pose as IT support in Microsoft Teams phishing attacks

Ransomware gangs are increasingly adopting email bombing followed by posing as tech support in Microsoft Teams calls to trick employees into allowing remote control and install malware that provides access to the company network.

The threat actors are sending thousands of spam messages over a short period and then call the target from an adversary-controlled Office 365 instance pretending to provide IT support.

This tactic has been observed since late last year in attacks attributed to Black Busta ransomware but researchers at cybersecurity company Sophos have seen the same method being used by other threat actors that may be connected to the FIN7 group.

To reach to company employees, the hackers take advantage of the default Microsoft Teams configuration at the targeted organization that permits calls and chats from external domains.

Observed activity

The first campaign that Sophos investigated has been linked to a group the researchers track internally as STAC5143. The hackers started by emailing targets a massive number of messages, to a rate of 3,000 in 45 minutes.

Shortly after, the targeted employee received an external Teams call from an account named “Help Desk Manager.” The threat actor convinced the victim to set up a remote screen control session through Microsoft Teams.

The attacker dropped a Java archive (JAR) file (MailQueue-Handler.jar) and Python scripts (RPivot backdoor) hosted on an external SharePoint link.

The JAR file executed PowerShell commands to download a legitimate ProtonVPN executable that side-loaded a malicious DLL (nethost.dll).

The DLL creates an encrypted command-and-control (C2) communication channel with external IPs, providing the attackers remote access to the compromised computer.

The attacker also ran Windows Management Instrumentation (WMIC) and whoami.exe to check system details and deployed second-stage Java malware to execute RPivot - a penetration testing tool that allows SOCKS4 proxy tunneling  for sending commands.

Obfuscated RPivot code
Source: Sophos

RPivot has been used in the past in attacks by FIN7. Additionally, the obfuscation techniques used have also been previously observed in FIN7 campaigns.

However, since both RPivot and the code for the obfuscation method are publicly available, Sophos cannot connect with high confidence the STAC5143 attacks to FIN7 activity, especially since FIN7 is known to have sold in the past its tools to other cybercriminal gangs.

“Sophos assesses with medium confidence that the Python malware used in this attack is connected to the threat actors behind FIN7/Sangria Tempest,” explain the researchers.

Because the attack was stopped before reaching the final stage, the researchers believe that the hackers' goal was to steal data and then deploy ransomware.

The second campaign was from a group tracked as 'STAC5777'. These attacks also started with email bombing and were followed by Microsoft Teams messages, claiming to be from the IT support department.

In this case though, the victim is tricked into installing Microsoft Quick Assist to give the attackers hands-on keyboard access, which they used to download malware hosted on Azure Blob Storage.

The malware (winhttp.dll) is side-loaded into a legitimate Microsoft OneDriveStandaloneUpdater.exe process, and a PowerShell command creates a service that relaunches it at system startup.

The malicious DLL logs the victim’s keystrokes via the Windows API, harvests stored credentials from files and the registry, and scans the network for potential pivoting points via SMB, RDP, and WinRM. 

Sophos observed STAC5777’s attempt to deploy Black Basta ransomware on the network, so the threat actor is likely related in some way to the infamous ransomware gang.

The researchers observed the threat actor accessing local Notepad and Word documents that had 'password' in the file name. The hackers also accessed two Remote Desktop Protocol files, likely looking for possible credential locations.

As these tactics become more prevalent in the ransomware space, organizations should consider blocking external domains from initiating messages and calls on Microsoft Teams, and disabling Quick Assist on critical environments.