Hackers Exploiting Microsoft’s Quick Assist Tool To Deliver Ransomware

Hackers often target remote assist tools because they create a direct channel to access desired systems with minimum effort. 

These tools have been built for remote control and access purposes, which makes them very appealing targets for attackers looking to hack networks or take over specific devices.

Microsoft observed the Storm-1811 group using Quick Assist for social engineering attacks that deploy Black Basta ransomware. 

Exploiting Quick Assist’s Remote Access

The attacks begin with vishing, exploiting Quick Assist’s remote access for initial compromise, and then delivering malware like:-

• Qakbot
• Cobalt Strike

Microsoft is improving Quick Assist warnings against tech support scams while detections block malicious activity. Blocking unused remote tools and user education on recognizing scams can reduce risk.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Threat actors involved in threat activities impersonate IT support to undertake vishing attacks and trick target persons into giving them Quick Assist remote access. 

They usually do this by pretending to fix a problem or offering spam help as a response to email flooding.

While on the call, Microsoft said they got the victim to initiate Quick Assist, enter the given code, enable screen sharing, and grant control access, consequently fully compromising the device.

Control is taken over through Quick Assist during which scripts are run to download malicious payloads that sometimes pretend to be spam filter updates in order to harvest credentials.

Some of the observed payloads included Qakbot and remote management tools such as ScreenConnect and Cobalt Strike, which finally led to the deployment of Black Basta ransomware by the Storm-1811 group using their access from Qakbot and Cobalt Strike.

After initial access, the attackers use ScreenConnect for persistence and lateral movement, NetSupport Manager for remote control, and OpenSSH tunneling. 

They perform domain enumeration and use PsExec to deploy Black Basta ransomware received from the Qakbot and Cobalt Strike access by Storm-1811. 

Black Basta is closed ransomware distributed by a few actors. Relying on initial access brokers while focusing on pre-ransomware stages reduces the threat impact.

Recommendations

Here below we have mentioned all the recommendations:-

• Block and uninstall unused remote tools like Quick Assist, and use secure alternatives like Remote Help.
• Educate users on identifying tech support scams and not providing unauthorized remote access.
• Report suspected malicious remote sessions and tech support scams.
• Train users on protecting info, spotting phishing, and reporting recon attempts.
• Implement anti-phishing solutions like Defender for Office 365.
• Enable cloud-delivered protection and tamper protection in antivirus.
• Turn on network protection against malicious domains.
• Use automated investigation and remediation in Defender for Endpoint.
• Follow Microsoft’s ransomware hardening guidance.

IoCs

Domain Names:

• upd7a[.]com
• upd7[.]com
• upd9[.]com
• upd5[.]pro

SHA-256:

• 71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8
• 0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0
• 1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30
• 93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7
• 1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb

ScreenConnect Relay:

• instance-olqdnn-relay.screenconnect[.]com

NetSupport C2:

• greekpool[.]com

Cobalt Strike Beacon C2:

• zziveastnews[.]com
• realsepnews[.]com

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free