Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Microsoft Quick Assist Tool Abused for Ransomware Delivery

The Black Basta group abuses remote connection tool Quick Assist in vishing attacks leading to ransomware deployment.

Cybercriminals who have been using the Black Basta ransomware have been observed abusing the remote management tool Quick Assist in vishing (voice phishing) attacks, Microsoft reports.

Active since 2022 and believed to have hit over 500 organizations globally, Black Basta is a ransomware-as-a-service (RaaS) that likely received over $100 million in ransom payments from its victims.

Last week, the US government warned of Black Basta affiliates targeting numerous critical infrastructure organizations in North America, Europe, and Australia, including healthcare entities, and using social engineering and the exploitation of known vulnerabilities for initial access.

Starting mid-April 2024, the Black Basta threat actors have been observed conducting vishing attacks in which they impersonate IT or help desk personnel to convince victims to install legitimate remote monitoring and management tools that are then abused for malware deployment.

According to Microsoft, the threat actors were seen installing tools such as ScreenConnect and NetSupport Manager, which were followed by the deployment of Qakbot, Cobalt Strike, and Black Basta ransomware.

The attacks started with Black Basta threat actors signing up the victim’s email address to multiple email subscription services to flood their inbox, and then impersonating IT support in phone calls allegedly meant to help the targeted individual resolve the issue.

During the phone call, the attackers convinced the victim to provide access to their device through Quick Assist, a Microsoft application that allows users to share their devices via a remote connection, providing the remote party with the ability to view the display or take full control, typically for troubleshooting.

“Threat actors misuse Quick Assist features to perform social engineering attacks by pretending, for example, to be a trusted contact like Microsoft technical support or an IT professional from the target user’s company to gain initial access to a target device,” Microsoft explains.

Advertisement. Scroll to continue reading.

Once the user enabled screen sharing through Quick Assist, the attacker requested full control over the device and, after the user approved it, executed a command to deploy the malicious payloads, including batch scripts that install fake spam filters that requested the victim’s credentials.

In some of the observed attacks, Qakbot was deployed on the victim’s system to deliver a Cobalt Strike implant attributed to the Black Basta threat actors.

Furthermore, the attackers used ScreenConnect to gain persistence and move laterally, and followed up with hands-on-keyboard activities, including domain enumeration and the deployment of ransomware across the network, using PsExec.

Microsoft says it will help mitigate the abuse of Quick Assist in malicious attacks by incorporating alerts to inform users of possible tech support scams.

Related: Shields Up: How to Minimize Ransomware Exposure

Related: LockBit Ransomware Mastermind Unmasked, Charged

Related: US, Israel Provide Guidance on Securing Remote Access Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights