The Microsoft Threat Intelligence team said it has observed a threat actor it tracks under the name Storm-1811 abusing the client management tool Quick Assist to target users in social engineering attacks.
“Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware,” the company said in a report published on May 15, 2024.
The attack chain involves the use of impersonation through voice phishing to trick unsuspecting victims into installing remote monitoring and management (RMM) tools, followed by the delivery of QakBot, Cobalt Strike, and ultimately Black Basta ransomware.
The adversary then masquerades as the company’s IT support team through phone calls to the target user, purporting to offer assistance in remediating the spam issue and persuading them to grant access to their device through Quick Assist.
“Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads,” the Windows maker said.
“Storm-1811 leverages their access and performs further hands-on-keyboard activities such as domain enumeration and lateral movement. Storm-1811 then uses PsExec to deploy Black Basta ransomware throughout the network.”
Microsoft has also described Black Basta as a “closed ransomware offering” as opposed to a ransomware-as-a-service (RaaS) operation that comprises a network of core developers, affiliates, and initial access brokers who conduct ransomware and extortion attacks.
“Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from QakBot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat.”
Organizations are recommended to block or uninstall Quick Assist and similar remote monitoring and management tools if not in use and train employees to recognize tech support scams.
Source: https://thehackernews.com/
