Threat actors have leveraged Microsoft Teams and other tools to facilitate a malware-spreading voice phishing scam, according to Hackread.
Attacks commenced with the delivery of a malicious Microsoft Teams message alongside a vishing call luring targets into executing a payload-downloading PowerShell command, with Quick Assist later leveraged to facilitate remote access, an analysis from Ontinue's Cyber Defense Centre showed. Infiltration of the targeted device is then followed by the distribution of a signed executable that sideloaded the nefarious TV.dll file and dropped the JavaScript-based index.js backdoor. While more findings are still needed to conclusively associate the intrusions with a specific actor, the techniques used in the campaign overlap with the Storm-1811 operation, reported Ontinue researchers. Such an attack should prompt increased vigilance among network defenders, said Sectigo senior fellow Jason Soroko. "Defenders should watch for PowerShell commands in Teams messages, unexpected use of Quick Assist, and signed binaries like TeamViewer.exe running from unusual paths. Signs of DLL sideloading, such as TV.dll loading unexpectedly, are also red flags," Soroko noted.
