Microsoft’s Quick Assist Tool Used to Deploy Ransomware
Microsoft has warned about hackers using its customer management tool to launch ransomware attacks.
A ransomware operator has been observed using Microsoft’s Quick Assist tool to trick victims into deploying ransomware.
Storm-1811 (Microsoft’s own nomenclature) appears to be an associate of the Black Basta ransomware gang and is using Quick Assist as part of its initial attack vector.
Quick Assist is designed to be used as a client management tool, where users can share their device (either Mac or Windows) with another remote user, typically providing technical support and controlling the device to fix an issue.
Storm-1811 uses the tool for a couple of different social engineering tricks. The threat actor cold calls a victim and poses as a legitimate tech support operator performing a “generic fix” on the device or actively creating an issue to resolve. This is typically a spam issue, where the threat actor logs the victim’s email into a large number of subscriptions to create the issue in the first place.
They then use this email bombing attack to convince the victim that they are aware of the problem and can help stop the spam.
Regardless of how the hackers get in touch, once they convince the victim that they are genuine, they ask them to give them access to Quick Assist and then share their screen with them. The hackers then use Quick Assist’s ‘Request Control’ feature to take over the advice. If the victim approves the request, the threat actor deploys its malicious payload via batch or ZIP files.
“Some of the batch scripts observed reference the installation of fake spam filter updates that require targets to provide login credentials,” Microsoft’s Threat Intelligence team said in a blog post.
“In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools such as ScreenConnect and NetSupport Manager, and Cobalt Strike.”
Through all of these tools, the threat actor can move laterally within the now compromised network and maintain persistence.
“After the threat actor installs the initial tools and ends the phone call, Storm-1811 takes advantage of their access and performs more hands-on keyboard activities, such as domain enumeration and lateral movement,” Microsoft said.
“Storm-1811 then uses PsExec to deploy Black Basta ransomware across the network.”
According to Microsoft, using Quick Assist to deploy tools like Qakbot shows the need to focus on the early stages of a ransomware attack, not just the actual deployment of the code itself. Microsoft recommends educating users about support scams and even uninstalling Quick Assist in environments where it is not in use.