BleepingComputer reports that affiliates of the Black Basta ransomware gang have leveraged Microsoft Teams as part of its social engineering attacks beginning this month.
Intrusions commenced with the delivery of malicious emails and subsequent contacting of targets in Microsoft Teams under the guise of corporate IT help desk staff claiming to help with the email spam issue, an analysis from ReliaQuest researchers revealed. Attackers, whose display names had the "Help Desk" string surrounded by whitespace characters, then lured targets into downloading AnyDesk or opening Quick Assist to facilitate the deployment of the "AntispamAccount.exe," "AntispamUpdate.exe," and "AntispamConnectUS.exe" payloads, with the last one previously identified as the SystemBC malware previously leveraged by Black Basta. Additional network compromise would then be enabled by the installation of Cobalt Strike in the targeted machine, said the report, which urged restricted Microsoft Teams communications to mitigate the risk of compromise. Such findings come months after Black Basta was reported by ReliaQuest and Rapid7 to have conducted a social engineering campaign that involved the impersonation of help desk staff in phone calls instead.
