Fake Microsoft Teams updates lead to the development of Cobalt Strike

Ransomware creators use malicious fake ads for Microsoft Teams updates to infect with backdoors Cobalt Strike systems to endanger the rest of the network.

Ransomware attacks have long targeted organizations in various industries, but the most recent ones have focused on education, which depends on video conferencing solutions due to the limitations of Covid-19.

FakeUpdates attacks appeared in 2019 with the delivery of the DoppelPaymer ransomware. But this year, the malicious campaigns They dropped the WastedLocker ransomware and showed technical progress.

More recently, hackers exploited the ZeroLogon critical vulnerability (CVE-2020-1472) to gain administrator access to the network. This happened via the SocGholish JavaScript framework, found earlier this year in dozens of hacks newspapers belonging to the same company.

The placement of malicious fake ads that entice unsuspecting users to click on it to install an update was trapped by injection.

In at least one attack detected by Microsoft, the crooks targeted the Teams. They were sharing Teams ads with malicious links. Clicking on the link downloaded a payload that executed a PowerShell script to retrieve more malicious content.

He also installed a legal copy of Microsoft Teams on the system, so that the victims would not be suspected.

Microsoft says that in many cases the initial payload was Predator the Thief infostealer, which sends the attacker sensitive information such as credentials, and data s. Other malware distributed this way include the Bladabindi (NJRat) backdoor and ZLoader .

The malware also downloaded other payloads, with the Cobalt Strike beacons among them, allowing the attacker to discover how it could move sideways on the network.

Microsoft warns that the same patterns seen in FakeUpdates campaigns using the Teams update lure were found in at least six other types of attacks. In some variations of the same attack, the attacker used the συντόμευσης διευθύνσεων URL logger.

Microsoft recommends using web browsers that can filter and block malicious sites (fraud, cyberbullying, malware, and hosting) along with the use of strong, random passwords for local administrators.

Restricting administrator privileges to key users and avoiding service-wide accounts that have the same rights as an administrator are also on the list of measures that will reduce the impact of an attack.

To minimize the risk, Microsoft recommends blocking executable files that do not meet certain criteria, such as age or if they are not in a regularly maintained trusted list.

Ο αποκλεισμός κώδικα JavaScript και από τη λήψη εκτελέσιμου περιεχομένου προσθέτει επίσης σημαντικές άμυνες.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).