Ransomware attacks hijack Windows Quick Assist feature

Hackers are tricking people into using Quick Assist to grant them access to their computers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers have been observed combining spam, a classic IT tech support scam, and Windows built-in remote control and screen-sharing tool, Quick Assist, to deploy the Black Bastaransomwarevariant.

Reports from bothMicrosoft, and cybersecurity researchers Rapid7 outlined how the attack is also quite creative and not something that’s often seen in the cybercrime space.

Before the actual attack, the threat actors (which Microsoft identified as Storm-1811) need to obtain two things: the victim’s email address, and phone number.

Deploying Black Basta

After that, the attackers will sign the victim up for countless email subscription services. As a result, the victim’s inbox will get absolutely hammered with newsletters, email notifications, and similar unwanted messages.

Then, they will call them on the phone, and impersonate either a Microsoft IT technician, or the IT help desk of the company the victim works for. They will offer to help sort out the problem, and will ask the victim to grant them access to their Windows devices through Quick Assist. Once the victims grant access, it’s practically game over:

“Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads,” Microsoft said. “In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike.”

These tools help the attackers move laterally throughout the target network, map it out, and ultimately - deploy the Black Basta ransomware variant.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Besides deploying Black Basta, Rapid7 added that the attackers would also steal as many login credentials from the victim as they can.

“The credentials are gathered under the false context of the ‘update’ requiring the user to log in. In most of the observed batch script variations, the credentials are immediately exfiltrated to the threat actor’s server via a Secure Copy command (SCP),” Rapid7’s researchers said.

“In at least one other observed script variant, credentials are saved to an archive and must be manually retrieved.”

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

HPE reveals critical security bug affecting networking access points

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

Ireland vs New Zealand live stream: how to watch 2024 rugby union Autumn International online from anywhere