In December 2024, cybercriminals used Microsoft Teams to trick users into granting remote access to their systems.
In December 2024, cybercriminals used Microsoft Teams to trick users into granting remote access to their systems. This attack, examined by Trend Micro, showcases the growing complexity of social engineering tactics used by hackers.
Attack Methodology
The attack began with a series of phishing emails sent to the victim. Shortly after, the attacker initiated a Microsoft Teams call, pretending to be an employee from a trusted client. During the call, the attacker persuaded the victim to download a remote support application. When installing Microsoft Remote Support from the Microsoft Store failed, the attacker suggested using AnyDesk, a legitimate remote desktop tool that is sometimes misused by cybercriminals.
Once AnyDesk was installed, the attacker gained control over the victim’s computer. They installed several harmful files, including one identified as Trojan.AutoIt.DARKGATE.D. This malware, distributed via an AutoIt script, allowed the attacker to remotely control the system, run malicious commands, and connect to a command-and-control server.
Execution and Malicious Activity
After gaining access through AnyDesk, the attacker executed commands to gather detailed system information and network configurations. Commands like systeminfo, route print, and ipconfig /all were used to collect data about the system’s hardware, software, and network setup. The collected information was saved in a file named 123.txt, likely for further reconnaissance.
The malware also employed techniques to evade detection. AutoIt scripts were used to identify antivirus software on the system and avoid detection. Additionally, malicious files were downloaded and extracted into hidden directories on the compromised machine.
One particularly harmful file, SystemCert.exe, created more scripts and executables in temporary folders. These files helped further malicious activity, including connecting to a command-and-control server and downloading additional payloads.
Fortunately, this attack was stopped before any data was stolen. The root cause analysis revealed that no sensitive information was taken, although persistent files and registry entries were created on the victim’s machine. This incident how important it is to have strong security measures in place.
Preventative Measures
To prevent such attacks, organizations should consider the following steps:
- Verify Third-Party Claims: Always confirm the identity of third-party technical support providers before granting access.
- Control Remote Access Tools: Allow only approved tools like AnyDesk and enforce multi-factor authentication for added security.
- Employee Training: Educate employees about social engineering tactics, such as phishing and voice phishing, to reduce the likelihood of falling victim to such attacks.
This incident serves as a reminder of how attackers can exploit trust and legitimate platforms like Microsoft Teams to infiltrate systems. Staying vigilant and implementing proactive security measures are essential to preventing similar threats in the future.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.