Ransomware gangs are increasingly adopting email bombing followed by posing as tech support in Microsoft Teams calls to trick employees into allowing remote control and install malware that provides access to the company network.
The threat actors are sending thousands of spam messages over a short period and then call the target from an adversary-controlled Office 365 instance pretending to provide IT support.
This tactic has been observed since late last year in attacks attributed to Black Basta ransomware but researchers at cybersecurity company Sophos have seen the same method being used by other threat actors that may be connected to the FIN7 group.
To reach to company employees, the hackers take advantage of the default Microsoft Teams configuration at the targeted organization that permits calls and chats from external domains.
Observed activity
The first campaign that Sophos investigated has been linked to a group the researchers track internally as STAC5143. The hackers started by emailing targets a massive number of messages, to a rate of 3,000 in 45 minutes.
Shortly after, the targeted employee received an external Teams call from an account named “Help Desk Manager.” The threat actor convinced the victim to set up a remote screen control session through Microsoft Teams.
The attacker dropped a Java archive (JAR) file (MailQueue-Handler.jar) and Python scripts (RPivot backdoor) hosted on an external SharePoint link.
The JAR file executed PowerShell commands to download a legitimate ProtonVPN executable that side-loaded a malicious DLL (nethost.dll).
The DLL creates an encrypted command-and-control (C2) communication channel with external IPs, providing the attackers remote access to the compromised computer.
The attacker also ran Windows Management Instrumentation (WMIC) and whoami.exe to check system details and deployed second-stage Java malware to execute RPivot – a penetration testing tool that allows SOCKS4 proxy tunneling for sending commands.
Source: Sophos
RPivot has been used in the past in attacks by FIN7. Additionally, the obfuscation techniques used have also been previously observed in FIN7 campaigns.
However, since both RPivot and the code for the obfuscation method are publicly available, Sophos cannot connect with high confidence the STAC5143 attacks to FIN7 activity, especially since FIN7 is known to have sold in the past its tools to other cybercriminal…
Click Here to Read the Full Original Article at BleepingComputer…