The Microsoft Threat Intelligence team said it has observed a threat it tracks under the name Storm-1811 misuse of the Quick Assist customer management tool to target users in social engineering attacks.
“Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware,” the company said in a report published on May 15, 2024.
The attack chain involved the use of impersonation via voice phishing to trick unsuspecting victims into installing Remote Monitoring and Management (RMM) tools, followed by the delivery of QakBot, Cobalt Strike and eventually Black Basta ransomware.
“Threat actors abuse Quick Assist features to conduct social engineering attacks by pretending, for example, to be a trusted contact such as Microsoft technical support or an IT professional from the target user’s company to gain initial access to a target device,” said the tech giant.
Quick Assist is a legitimate application from Microsoft that allows users to share their Windows or macOS device with another person through a remote connection, mainly for the purpose of troubleshooting technical issues on their systems. It is installed by default on Windows 11 devices.
To make the attacks more convincing, threat actors launch link listing attacks, a type of email bombing attack where targeted email addresses sign up for various legitimate email subscription services in order to flood their inboxes with subscribed content.
The adversary then masquerades as the company’s IT support team by making phone calls to the targeted user, purportedly offering help in fixing the spam problem and convincing them to provide access to their device via Quick Assist.
“After the user allows access and control, the threat executes a cURL script command to download a series of batch files or ZIP files used to deliver malicious payloads,” the Windows maker said.
“Storm-1811 uses their access and performs additional activities on the keyboard such as domain enumeration and lateral movement. Storm-1811 then used PsExec to deploy Black Basta ransomware across the network.”
Microsoft said it is looking closely at the misuse of Quick Assist in these attacks and that it is working to include warning messages in the software to notify users of possible tech support scams that could facilitate the delivery of ransomware.
The campaign, which is believed to have started in mid-April 2024, targeted various industries and verticals, including manufacturing, construction, food and beverage and transportation, Rapid7 said, indicating the opportunistic nature of the attacks.
“The low barrier to entry to carrying out these attacks, combined with the significant impact these attacks have on their victims, continue to make ransomware a very effective tool to eliminate threats looking for a payday,” Robert Knapp, Senior Response Manager in service incidents at Rapid7, according to a statement shared with The Hacker News.
Microsoft also described Black Basta as a “closed ransomware offering” as opposed to a ransomware-as-a-service (RaaS) operation, which consists of a network of core developers, affiliates and early access brokers that carry out ransomware and extortion attacks.
“It is spread by a small number of threats that typically rely on other threats for initial access, malicious infrastructure and malware development,” the company said.
“Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after gaining access from QakBot and other malware distributors, highlighting the need for organizations to focus on the attack stages prior to ransomware deployment, to reduce the threat.’
Organizations are advised to block or uninstall Quick Assist and similar remote monitoring and management tools if not in use, and train employees to recognize tech support scams.
