Fake IT bods on Microsoft Teams coax workers into installing malware


Cybercriminals are using fake IT support calls on Microsoft Teams to persuade employees to surrender control of their PCs before installing the EtherRAT remote access trojan, according to researchers at Palo Alto Networks’ Unit 42.

Victims receive a phishing email disguised as an employee survey before a follow-up Microsoft Teams call from someone claiming to be IT support. During the call, the attacker persuades the target to hand over remote control and install legitimate remote administration tools such as HopToDesk or AnyDesk. An MSI package is then downloaded, which installs the EtherRAT malware.

Read more…
Source:  The Register


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Scaly Wolf’s new loader: the right tool for the wrong job

    May 2, 2024

    The BI.ZONE Threat Intelligence team has uncovered a fresh campaign by the group targeting Russian and Belarusian organizations. The threat actors are distributing phishing emails under the guise of a federal agency. The emails have a legitimate document as an attachment. It aims to lull the recipient’s vigilance and prompt them to open the other file, ...

  • UnitedHealth data breach caused by lack of multifactor authentification

    May 1, 2024

    Hackers breached the computer system of a UnitedHealth Group subsidiary and released ransomware after stealing someone’s password, CEO Andrew Witty testified Wednesday on Capitol Hill. The cybercriminals entered through a portal that didn’t have multifactor authentification (MFA) enabled. During an hourslong congressional hearing, Witty told lawmakers that the company has not yet determined how many patients ...

  • “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps

    May 1, 2024

    Microsoft discovered a path traversal-affiliated vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s home directory. The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application’s implementation. Arbitrary code execution can provide a threat actor with full control ...

  • New “Goldoon” Botnet Targeting D-Link Devices

    May 1, 2024

    In April, FortiGuard Labs observed a new botnet targeting a D-Link vulnerability from nearly a decade ago, CVE-2015-2051. This vulnerability allows remote attackers to execute arbitrary commands via a GetDeviceSettings action on the HNAP interface. As a result, an attacker can create a crafted HTTP request with a malicious command embedded in the header. Fortinet IPS ...

  • UK: Cyber attack recovery could cost council £500,000

    May 1, 2024

    The total cost of restoring systems following a cyber attack could cost the Western Isles local authority Comhairle nan Eilean Siar £500,000. A suspected ransomware attack in November caused significant disruption to IT systems at the local authority. The impact led to some bills, including council tax, being delayed. Malcolm Burr, the council’s chief executive, said ...

  • The State of Ransomware 2024

    April 30, 2024

    The fifth Sophos State of Ransomware Report reveals the real-world ransomware experiences of 5,000 organizations around the globe, from root cause through to severity of attack, financial impact, and recovery time. Based on the findings of a survey of IT/cybersecurity leaders across 14 countries, this year’s report combines year-on-year insights with brand new areas of study. ...