In recent developments, cybercriminals have been exploiting Microsoft Teams, a widely used collaboration platform, to deliver malicious payloads and establish persistent access to corporate networks. This sophisticated attack vector leverages the inherent trust users place in internal communication tools, allowing attackers to bypass traditional email security measures.
Attack Methodology and Sophisticated Chain
The attack initiates with threat actors sending phishing messages through Microsoft Teams, impersonating IT support personnel. These messages often contain malicious PowerShell commands or links that, when executed, download and install malware on the victim’s system. In some instances, attackers have utilized Windows’ built-in Quick Assist tool to gain remote access, further exploiting the trust associated with legitimate system utilities.
Upon gaining initial access, the attackers employ advanced techniques such as DLL sideloading, where a legitimate signed executable loads a malicious DLL file. This method helps evade security controls, as the initial executable appears legitimate and properly signed. Subsequently, a JavaScript-based backdoor is executed via Node.js, establishing a persistent connection to the attackers’ command-and-control infrastructure. This backdoor includes socket capabilities for remote connections and command execution, enabling the attackers to maintain control over the compromised system.
TypeLib Hijacking: A Novel Persistence Technique
A particularly concerning aspect of these attacks is the implementation of TypeLib hijacking, a persistence technique that manipulates the Windows Registry to redirect legitimate Component Object Model (COM) objects to malicious scripts hosted on external URLs. This method allows attackers to maintain persistent access that automatically reactivates after the system restarts. Security researchers have observed this technique being used in real-world attacks, marking a significant evolution in malware persistence strategies.
Association with Known Threat Actors
These sophisticated attack patterns align with techniques attributed to threat actor groups such as Storm-1811, known for deploying Black Basta ransomware. Additionally, Microsoft has identified similar campaigns since mid-April 2024, where attackers bombard victims with spam emails before calling while impersonating IT support staff. Security researchers at Trend Micro have also documented comparable attacks distributing DarkGate malware through Teams voice calls, instructing victims to download remote access applications like AnyDesk.
Detection and Mitigation Strategies
The attack chain utilizes several MITRE ATT&CK techniques, including:
– T1105 – Ingress Tool Transfer
– T1656 – Impersonation
– T1219 – Remote Access Software
– T1218 – Signed Binary Proxy Execution
– T1197 – BITS Jobs
To mitigate the risk of such attacks, security experts recommend the following measures:
1. Restrict or Uninstall Unnecessary Remote Access Tools: Organizations should block or uninstall tools like Quick Assist if they are not required, reducing the risk of unauthorized remote access.
2. Disable External Connections in Microsoft Teams: Limiting or disabling external connections can prevent attackers from exploiting the platform to deliver malicious payloads.
3. Implement Multi-Factor Authentication (MFA): Enforcing MFA adds an additional layer of security, making it more challenging for attackers to gain unauthorized access.
4. Conduct Regular User Awareness Training: Educating employees about the risks of phishing and social engineering attacks can help them recognize and report suspicious activities.
5. Monitor and Audit System Logs: Regularly reviewing system logs can help detect unusual activities indicative of a compromise.
As collaboration tools like Microsoft Teams become integral to business operations, it is crucial for organizations to recognize the potential security risks and implement robust measures to protect their networks and data.
