Hackers Abusing Teams Chat For Remote Session & To Drop Black Basta Malware

Notorious ransomware group Black Basta has been observed leveraging Microsoft Teams as part of a sophisticated social engineering campaign.

This new tactic, which combines email bombing with impersonation of IT support staff, has raised alarms in the cybersecurity community.

The attack begins with a flood of spam emails to the target’s inbox, overwhelming them with seemingly benign messages such as newsletter subscriptions and account confirmations. This deluge of emails serves as a smokescreen for the real threat that follows.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Once the victim’s inbox is inundated, the attackers initiate contact through Microsoft Teams, posing as IT support personnel offering assistance with the sudden influx of emails.

The threat actors create legitimate Microsoft Teams accounts using domains that mimic IT support services, such as:

1. securityadminhelper.onmicrosoft[.]com
2. supportserviceadmin.onmicrosoft[.]com
3. supportadministrator.onmicrosoft[.]com
4. cybersecurityadmin.onmicrosoft[.]com

These carefully crafted personas lend credibility to the attackers’ claims, making it more likely for victims to trust and engage with them.

The Black Basta operatives employ sophisticated social engineering techniques to manipulate their targets. They create a sense of urgency around the email bombing issue and offer a seemingly helpful solution.

The attackers then persuade the victim to grant remote access to their system, typically through legitimate remote desktop tools like AnyDesk, TeamViewer, or Microsoft’s Quick Assist.

Once remote access is established, the true nature of the attack unfolds. The cybercriminals deploy various malicious payloads, including:

1. SystemBC: A proxy malware disguised as anti-spam software
2. Cobalt Strike beacons: Used for lateral movement and command execution
3. Zbot and DarkGate: Tools for credential harvesting and data exfiltration

Ultimately, these actions pave the way for the deployment of the Black Basta ransomware, encrypting the victim’s files and demanding a ransom for their release.

Organizations can implement several measures to detect and prevent these attacks:

1. Monitor for spikes in incoming emails per user, regardless of their classification as spam, phishing, or malware.
2. Look for suspicious keywords like “Help Desk” or “Support” in Microsoft Teams display names.
3. Hunt for unusual Remote Monitoring and Management (RMM) tool usage within the environment.
4. Implement strict policies for external communications in Microsoft Teams.
5. Educate employees on recognizing social engineering attempts, especially those leveraging trusted platforms like Microsoft Teams.

This campaign by Black Basta is part of a larger trend of cybercriminals exploiting collaboration tools for malicious purposes.

As more organizations rely on platforms like Microsoft Teams for daily operations, these tools become increasingly attractive targets for threat actors. The sophistication of this attack underscores the evolving nature of cyber threats.

By combining email bombing, social engineering, and abuse of legitimate collaboration tools, Black Basta demonstrates modern cybersecurity efforts’ complex challenges.

As this threat continues to evolve, organizations must remain vigilant and adaptive in their security strategies.

Regular security awareness training, robust email filtering, and careful monitoring of collaboration platforms are essential components of a comprehensive defense against these advanced social engineering tactics.

As such, a multi-layered approach to security, combining technological solutions with human awareness, remains the best defense against these sophisticated cyber threats.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

The post Hackers Abusing Teams Chat For Remote Session & To Drop Black Basta Malware appeared first on Cyber Security News.