Hackers Leverage Microsoft Teams Call to Install RMM Tools and Deploy EtherRAT

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Threat actors are now weaponizing something as ordinary as a Microsoft Teams call to slip past corporate defenses and plant a stealthy new remote access trojan called EtherRAT.

The campaign blends social engineering with legitimate remote support software, making it look like a routine IT interaction rather than an attack in progress. Victims are left unaware that a simple screen sharing session has handed criminals full control of their machine.

The operation begins innocently enough with a phishing email carrying an “Employee Survey” lure and a malicious PDF attachment. Once the file is opened, the target receives an unexpected Microsoft Teams voice call from someone claiming to be a “System Administrator.”

Since the caller belongs to an outside Microsoft 365 tenant, Teams flags the interaction with an “External unfamiliar” label, though many users overlook this warning in the moment.

Analysts from GitHub, where Palo Alto Networks’ Unit 42 team published its findings, noted that the attacker’s account was tied to a domain designed to look like a genuine helpdesk address.

This small detail helped the impersonation feel convincing enough for victims to proceed with the call.

GitHub analysts said in a report shared with Cyber Security News (CSN) that the case highlights how easily trust in everyday collaboration tools can be exploited.

Once the victim answers, the attacker persuades them to enable Teams’ built in screen sharing feature, granting remote control of the device.

From there, the caller talks the victim through installing legitimate remote access tools, using familiar software names to avoid raising suspicion. This step is critical, since it gives the attacker a foothold that looks like routine technical support rather than an intrusion.

Hackers Leverage Microsoft Teams Call

With remote access secured, the attacker downloads and runs a malicious MSI installer that quietly fetches a legitimate Node.js runtime onto the compromised machine.

The installer then decrypts hidden payloads bundled inside it, eventually launching the EtherRAT malware itself. Because the loader relies on genuine software components, many endpoint tools struggle to flag the activity as suspicious.

EtherRAT is a cross platform remote access trojan built entirely in Node.js, giving it flexibility across different operating systems.

Once active, it can run commands, move and manipulate files, exfiltrate sensitive data, and maintain long term persistence on the infected system.

Its most unusual trait is using Ethereum smart contracts to fetch the address of its command and control server, a method that makes takedown efforts far more difficult for defenders.

Researchers noted that EtherRAT has a history tied to state sponsored operations, having previously surfaced in attacks that exploited a separate critical vulnerability.

Since then, it appears to have been picked up by a wider range of criminal groups, suggesting the tool is being shared or sold beyond its original operators.

Unit 42 also uncovered an open directory on the attacker’s distribution server holding nine separate versions of the installer, pointing to active and ongoing development of the malware.

Why Fake Helpdesk Calls Keep Working

This is not an isolated incident, as Microsoft Teams has become a repeated target for impersonation schemes over the past year.

Earlier campaigns flooded inboxes with spam before contacting victims through Teams and posing as internal IT staff to push different malware families.

Microsoft itself has warned organizations that attackers are increasingly using external Teams accounts to pose as helpdesk personnel and gain remote access.

In response, Microsoft has rolled out several protective measures, including clearer warnings for calls and chats originating from external tenants.

A newer administrator policy also automatically places suspected third party bots into a meeting lobby until an organizer manually approves them.

Security teams are advised to restrict external Teams communication where possible, train employees to verify IT requests through separate channels, and monitor for unexpected remote access software installations, since these steps directly address the tactics seen in this campaign.

Organizations should treat any unsolicited IT support call, especially one arriving through a collaboration platform, with the same caution as an unexpected phone call from a stranger claiming to be from the bank.

Verifying requests through a known internal channel before granting any remote access remains the simplest and most effective defense.

Indicators of Compromise (IoCs):-

Type Indicator Description
Email/Account [email protected][.]com External Teams account used to impersonate IT support 
Domain camorreado[.]click Distribution server hosting the malicious MSI installer 
File v7.msi Malicious MSI installer that loads Node.js runtime and EtherRAT payload 
File (related) v1.msi through v9.msi Multiple installer versions found on an open distribution directory, indicating active development 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.