Fake IT bods on Microsoft Teams coax workers into installing malware


Cybercriminals are using fake IT support calls on Microsoft Teams to persuade employees to surrender control of their PCs before installing the EtherRAT remote access trojan, according to researchers at Palo Alto Networks’ Unit 42.

Victims receive a phishing email disguised as an employee survey before a follow-up Microsoft Teams call from someone claiming to be IT support. During the call, the attacker persuades the target to hand over remote control and install legitimate remote administration tools such as HopToDesk or AnyDesk. An MSI package is then downloaded, which installs the EtherRAT malware.

Read more…
Source:  The Register


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • UK MoD probes security breach after documents relating to Catterick Garrison found dumped in street

    March 26, 2025

    The Ministry of Defence is investigating after a cache of documents containing sensitive military information was found discarded in the street. The papers, some marked “official – sensitive”, were discovered spilling out of a black bin bag in the Scotswood area of Newcastle on March 16 . The BBC reported that they include details about soldiers’ ...

  • UK supermarket Morrisons’ sales growth slows after cyber attack

    March 26, 2025

    British supermarket group Morrisons’ sales growth slowed in its first quarter, reflecting a previously flagged cyber attack at its technology provider which disrupted its operations. The UK’s fifth largest grocer, which has been owned by U.S. private equity firm Clayton, Dubilier & Rice since 2021, said on Wednesday its like-for-like sales rose 2.1% in its quarter ...

  • Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain

    March 25, 2025

    In mid-March 2025, Kaspersky technologies detected a wave of infections by previously unknown and highly sophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers’ website was opened using the Google Chrome web browser. No further action was required to become infected. All malicious ...

  • KLIA operations not affected after Malaysian airport hit by cyber attack

    March 25, 2025

    Operations at the Kuala Lumpur International Airport (KLIA) were not affected by a cyber attack by hackers who demanded US$10 million (S$13.4 million). In a joint statement on March 25, the National Cyber Security Agency (Nacsa) and Malaysia Airports Holdings Berhad (MAHB) said they detected a cyber-security threat affecting certain computer systems at KLIA on March ...

  • MoDiRAT Malware Uses Horus Protector to Target France

    March 25, 2025

    The SonicWall Capture Labs threat research team has identified a new development in the Horus Protector distributed infection chain. Recently, it has been targeting the French region with MoDiRAT, a malware notorious for stealing credit card and other victim information. During the infection process, it deploys the DarkCloud stealer; however, before exiting, the loader verifies if ...

  • Security Updates Released for Ingress NGINX Controller for Kubernetes

    March 25, 2025

    Five vulnerabilities have been discovered within the Ingress NGINX Controller for Kubernetes. NGINX Ingress Controller is a tool used in Kubernetes environments to manage and route external traffic to services within the cluster. Ingress Controller acts as a reverse proxy and load balancer, supporting various protocols like WebSocket, gRPC, TCP, and UDP, and also provides features ...