Microsoft warns about a malicious campaign where some ransomware operators advertise fake Microsoft Teams update and compromise innocent users’ systems. They were found to be deploying backdoors to steal data, and also Cobalt Strike for expanding in the network widely. Microsoft had also given some recommendations to avoid falling into such traps.
Fake Microsoft Teams Update Set Backdoors
It’s anticipated that attackers target the popular softwares in critical times to get more out of the situation. We’ve seen hackers attacking hospitals and compromising work-from-home machines amidst the COVID-19 pandemic to get more victims. One latest development like this is Microsoft’s malicious campaign, where ransomware operators are malvertising their Teams software.
In a non-security alert seen by BleepingComputer, Microsoft warns that hackers are compromising search engine results or ad units to place their malicious ads at the top, which claims to be the latest update for Microsoft Teams. When clicked, they redirect to a site that was controlled by the hackers.
Unsuspecting users falling into this trap and downloading the fake update will end having a backdoor in their systems, set by hackers. Besides executing a PowerShell script, hackers set up Microsoft Teams software on the victim’s PC to avoid any suspicion.
The backdoors are then used to invite payloads like Predator, an info stealer that retrieves sensitive data like credentials, browser, and payment data from victims PC and sent to the hacker’s C2. Other payloads recorded in this campaign are of ZLoader stealer and Bladabindi (NJRat) backdoor.
The next stage includes downloading Cobalt Strike beacons, which is a legitimate penetration testing tool often exploited by hackers for finding ways and moving across the compromised network. A similar campaign was seen last year, where hackers deployed DoppelPaymer ransomware at the end. And now, the last stage here is dumping the WastedLocker ransomware.
Microsoft’s Suggestions to Stay Safe
Microsoft said limiting the admin privileges to only essential users and having the same permissions set for domain-wide service accounts to be avoided. Further, using browsers that can filter and block malicious websites and using strong and random passwords for admin accounts is suggested.