Hackers Exploiting Microsoft Teams for Remote Access to Systems

Hackers used the Microsoft Teams platform to trick a victim into granting remote access to their system. This attack, analyzed by Trend Micro, showcases the increasing complexity of social engineering tactics employed by cybercriminals.

The attack unfolded in several stages:

1️⃣ Mass phishing email campaigns: The victim first received a series of phishing emails targeting their inbox.
2️⃣ Microsoft Teams call: The attacker then initiated a Microsoft Teams call, pretending to be an employee of a trusted client.
3️⃣ Installing remote support software: During the call, the attacker convinced the victim to install a remote support application, initially suggesting Microsoft Remote Support. When the installation from the Microsoft Store failed, the attacker switched to AnyDesk, a legitimate remote desktop tool often exploited by cybercriminals.

Once AnyDesk was installed, the attacker gained full access to the victim’s computer, deploying various malicious files, including a trojan identified as Trojan.AutoIt.DARKGATE.D.

Distribution of malware: The malware was distributed using an AutoIt script. This script enabled remote system control, execution of malicious commands, and connection to a command-and-control (C2) server.

System information gathering:
Using AnyDesk, the attacker executed commands to collect system and network information:

• systeminfo: to retrieve general system information.
• route print: to analyze network routes.
• ipconfig /all: to view IP addresses and network configurations.

The collected information was saved into a file named 123.txt, likely for further reconnaissance.

Evasion of detection:

• AutoIt scripts identified antivirus software on the system and evaded detection mechanisms.
• Malicious files were downloaded and extracted into hidden directories.

Another malicious file, SystemCert.exe, created additional scripts and executables in temporary folders. These were used to connect to the C2 server and download further malicious payloads.

Fortunately, no data exfiltration occurred during this attack. However, malicious files and registry entries were left on the victim’s system. This incident underscores the critical importance of robust security measures.

How to Protect Against Similar Attacks

1️⃣ Verify third-party claims: Always ensure the legitimacy of technical support providers before granting access.
2️⃣ Control remote access tools: Allow only approved tools (e.g., AnyDesk) and enforce multi-factor authentication (MFA).
3️⃣ Employee training: Educate employees about social engineering tactics such as phishing and vishing (voice phishing) to minimize vulnerability.

Hackers continue to exploit trust and legitimate platforms like Microsoft Teams to execute their attacks. Therefore, vigilance and proactive security measures are crucial to preventing similar threats.

Start safeguarding your systems today and ensure your employees are well-prepared to combat these threats!