Hackers Exploit Microsoft Teams Calls to Deploy EtherRAT Malware

Cybercriminals are increasingly exploiting Microsoft Teams calls to infiltrate corporate systems and deploy the EtherRAT malware. This sophisticated attack combines social engineering with legitimate remote support tools, making it challenging for victims to recognize the threat.

The attack typically begins with a phishing email containing an “Employee Survey” lure and a malicious PDF attachment. Upon opening the attachment, the target receives a Microsoft Teams voice call from an individual posing as a “System Administrator.” Notably, the caller’s account is associated with a domain designed to resemble a legitimate helpdesk address, enhancing the credibility of the impersonation.

During the call, the attacker persuades the victim to enable Teams’ screen-sharing feature, granting remote control over the device. Subsequently, the attacker guides the victim to install legitimate remote access tools, using familiar software names to avoid suspicion. This step provides the attacker with a foothold that appears as routine technical support rather than an intrusion.

With remote access secured, the attacker downloads and executes a malicious MSI installer that discreetly fetches a legitimate Node.js runtime onto the compromised machine. The installer then decrypts hidden payloads bundled within it, ultimately launching the EtherRAT malware. Due to the use of genuine software components, many endpoint security tools may fail to detect this activity as malicious.

EtherRAT is a cross-platform remote access trojan built entirely in Node.js, granting it flexibility across different operating systems. Once active, it can execute commands, manipulate files, exfiltrate sensitive data, and maintain long-term persistence on the infected system. A distinctive feature of EtherRAT is its use of Ethereum smart contracts to retrieve the address of its command-and-control server, complicating takedown efforts for defenders.

Researchers have noted that EtherRAT has a history tied to state-sponsored operations, having previously surfaced in attacks exploiting critical vulnerabilities. Its current use by a broader range of criminal groups suggests that the tool is being shared or sold beyond its original operators. Additionally, an open directory on the attacker’s distribution server revealed multiple versions of the installer, indicating active and ongoing development of the malware.

This incident underscores the growing trend of cybercriminals leveraging trusted communication platforms like Microsoft Teams to conduct social engineering attacks. By impersonating IT support personnel, attackers can deceive employees into granting remote access, leading to data exfiltration and system compromise. Organizations must remain vigilant and implement robust security measures to mitigate such threats.

To protect against these sophisticated attacks, organizations should:

  • Implement multi-factor authentication (MFA) to add an extra layer of security.
  • Educate employees on recognizing phishing attempts and the importance of verifying the identity of IT support personnel.
  • Monitor for unusual activities within collaboration platforms and establish protocols for reporting suspicious interactions.
  • Regularly update and patch systems to address known vulnerabilities.

By adopting these proactive measures, organizations can enhance their defenses against the evolving tactics of cybercriminals exploiting trusted communication tools.