Fake IT bods on Microsoft Teams coax workers into installing malware


Cybercriminals are using fake IT support calls on Microsoft Teams to persuade employees to surrender control of their PCs before installing the EtherRAT remote access trojan, according to researchers at Palo Alto Networks’ Unit 42.

Victims receive a phishing email disguised as an employee survey before a follow-up Microsoft Teams call from someone claiming to be IT support. During the call, the attacker persuades the target to hand over remote control and install legitimate remote administration tools such as HopToDesk or AnyDesk. An MSI package is then downloaded, which installs the EtherRAT malware.

Read more…
Source:  The Register


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706

    July 13, 2022

    Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in October 2021. A fix for this vulnerability, now identified as CVE-2022-26706, was included in ...

  • Transparent Tribe begins targeting education sector in latest campaign

    July 13, 2022

    Cisco Talos recently discovered an ongoing campaign conducted by the Transparent Tribe APT group against students at various educational institutions in India. This campaign was partially covered by another security firm, but our findings reveal more details regarding the adversary’s operations. Typically, this APT group focuses on targeting government (government employees, military personnel) and pseudo-government entities ...

  • From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud

    July 12, 2022

    A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against ...

  • Hackers impersonate cybersecurity firms in callback phishing attacks

    July 12, 2022

    Hackers are impersonating well-known cybersecurity companies, such as CrowdStrike, in callback phishing emails to gain initial access to corporate networks. Most phishing campaigns embed links to landing pages that steal login credentials or emails that include malicious attachments to install malware. However, over the past year, threat actors have increasingly used “callback” phishing campaigns that impersonate well-known ...

  • Predatory Sparrow: Who are the hackers who say they started a fire in Iran?

    July 11, 2022

    It’s extremely rare for hackers, who operate in the digital world, to cause damage in the physical world. But a cyber-attack on a steel maker in Iran two weeks ago is being seen as one of those significant and troubling moments. A hacking group called Predatory Sparrow said it was behind the attack, which it said caused ...

  • How Shady Code Commits Compromise the Security of the Open-Source Ecosystem

    July 11, 2022

    Traditionally, concerns over open-source code security have revolved around whether or not open-source code could contain vulnerabilities, backdoors, or hidden malicious code. In recent months, however, Trend Micro researchers have observed a growth in a particular trend: Open-source code is being subjected to modifications to its functionality to express political protest. These instances of so-called ...