Threat actors are abusing the Quick Assist client management tool in Windows, combined with social engineering tricks, to plant malware and ransomware on victims’ systems.
Click for more special coverage
In a May 15 advisory, Microsoft warned organizations to be alert to a voice phishing (vishing) scam where cybercriminals conned victims into opening Quick Assist sessions.
The vendor’s Threat Intelligence unit has been monitoring a malicious actor it is tracking as Storm-1811 since mid-April. The gang was using remote monitoring and management (RMM) tools to install malware, including Qakbot, Cobalt Strike and, ultimately, Black Basta ransomware.
The scam typically began with Storm-1811 launching an email-bombing attack on its victim, flooding their inbox with emails by indirectly signing them up for subscription services using their credentials.
The threat actors then phoned the victim, pretending to be tech support, and offered to fix their email overload issue via Quick Assist, which is installed by default on devices running Windows 11.
“Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads,” Microsoft’s advisory said.
“In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike.”
With the initial tooling installed and the phone call with the victim concluded, the Storm-1811 actors carried out further “hands-on-keyboard” activities including domain enumeration and lateral movement, then used PsExec to deploy Black Basta throughout the compromised network.
“Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from Qakbot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat,” the advisory said.
“Microsoft is investigating the use of Quick Assist in these attacks and is working on improving the transparency and trust between helpers and sharers, and incorporating warning messages in Quick Assist to alert users about possible tech support scams.”
In a post last week, researchers at Rapid7 reported observing the same scam being used to target several of the cybersecurity firm’s customers.
As well as abusing Quick Assist, the threat actors Rapid7 observed also attempted to use other popular RMM tools including AnyDesk.
“While ransomware deployment was not observed in any of the cases Rapid7 responded to, the indicators of compromise we observed were previously linked with the Black Basta ransomware operators based on OSINT (open-source intelligence) and other incident response engagements handled by Rapid7,” the researchers said.
To prevent the attacks, Microsoft said organizations should consider blocking or uninstalling Quick Assist and other RMM tools that were not being used by their IT departments.
It also recommended training staff to be aware of tech support scams.
“Only allow a helper to connect to your device using Quick Assist if you initiated the interaction by contacting Microsoft Support or your IT support staff directly. Don’t provide access to anyone claiming to have an urgent need to access your device,” the advisory said.
Further advice from Rapid7 included blocking domains associated with all unapproved RMM solutions and ensuring staff were empowered to report suspicious phone calls and texts purporting to be from internal IT staff.