Security Advisory: Adversaries Abuse Microsoft Teams and Quick Assist

The Bitdefender MDR team observed activity associated with a social engineering campaign that targets commonly used software: Microsoft Teams and Quick Assist. This blog includes information from the MDR team’s latest analysis. Bitdefender is releasing it to the public to support information sharing efforts. 

Threats that abuse Microsoft Teams and Quick Assist have persisted for more than three months. However, in these instances, the successful infiltration of a victim environment does not result from executing malicious code or brute forcing a device with administrator level access. Instead, the threat actor only needs to manipulate a user’s trust to take control of the victim’s system and set the stage for the next compromise.

The graphic below captures the essential parts of the social engineering campaigns Bitdefender’s MDR team have encountered that leverage Microsoft Teams and Quick Assist.  

The Social Engineering Strategy

Threat actors, in recent months, have used both email and Microsoft Teams accounts under monikers like “IT Support” to perform social engineering. These accounts are derived in two ways. In some cases, an “IT Support” account is already present in the target environment, so the account is familiar to the target. However, the attacker acquires the account, following the sale or leak of company credentials. In other cases, the threat actor creates new accounts that are distinct and separate from the target environment.

How is social engineering conducted? The threat actor communicates with the user, often through Teams direct chats or via Teams call, convincing them to reach the help desk to resolve any technical issues. While this approach may appear unusual and even clumsy, it’s worth noting that prior to the exchange, targets may be subjected to a flood of spam messages. So, it’s not unreasonable for the targets to presume that a security feature was changed after an update, or their email service for instance has some malfunction that needs to be fixed.

An end-user sends a Teams communication back to “IT Support” about resolving a technical issue. The attacker, disguised as an IT representative advises the user to connect over Quick Assist. The attacker may also attempt to reach out to the end-user several times if there’s a lull in the process. Quick Assist is a program that is signed and owned by Microsoft. It is designed to support system administrators in managing troubleshooting activities remotely. After the end-user launches Quick Assist, “IT Support” asks the user to provide the Quick Assist security code. Once “IT Support” receives the security code over a Teams chat or by phone, the threat actor has achieved their first goal: to successfully establish initial access. Then, the threat actor can proceed by applying system changes, loading malicious payloads, and obtaining credentials and other data.

Tactics Employed: Initial Access and Persistence

The following section provides further information on the tactics used to fulfill the preliminary phases of the attack cycle.

Initial Access

Threat actors use Microsoft Teams and Quick Assist to communicate with end-users and then establish access to their systems. If the end-user already has Quick Assist in their environment, the attacker proceeds by requesting that the user launches it and provides the security code to establish remote access. If the end-user does not already use Quick Assist, then they are prompted to download it.

The end-user may choose to download Quick Assist from the Microsoft Store. In that scenario, the application comes from a trusted source. As a result, it does not have any indications that it’s a malicious program. Bitdefender’s MDR team noted this when reviewing instances that involved a recent installation of the verified Quick Assist software. In those instances, Quick Assist.exe had the following hash value:

5fe72023b11f4a8a9e5a5d3c950c4ff99743d13c7d8b151734e4e71326083191

Installations of Quick Assist.exe that occurred after downloading it from the Microsoft Store were associated with the following file path:

C:\Program
Files\WindowsApps\MicrosoftCorporationII.QuickAssist_2.0.32.0_x64_8wekyb3d8bb
we\Microsoft.RemoteAssistance.QuickAssist\QuickAssist.exe

Bitdefender’s MDR team also observed an instance where the attacker directed an end-user to download Quick Assist Intaller.exe using a provided link. That Quick Assist Intaller.exe program had the following hash value:

EC86B7FF5521C9698599677EC8C18E4230A5D6CFC9A997B022DB6F5912A9ABAA

Links that attackers have sent to victims, including a link to download a Quick Assist installer and other files, likely originated from a compromised SharePoint site. A SharePoint URL that is associated with the attacker is:

hxxps://pdve-my.sharepoint.com/personal/ruteh_pdve_org/Documents/Apps/RuleFix.zip?ct=1727213144159&or=Teams-HL&ga=1&LOF=1

The suspicious URLs, provided below, are associated with multiple phishing attempts. While they have misspellings and letter omissions, the URLs look like common, legitimate services, including Microsoft’s Admin portal and Gmail.

hxxps://admin.mocrsoft.com/  

hxxps://gmai.com/ 

Persistence

The threat actor establishes access to a victim’s computer. Then, they achieve persistence to create the foothold necessary to advance the attack later. The attacker executes scripts within Command Prompt to establish persistence, which results in the download of a file and/or the creation of a scheduled task.

The following instances illustrate the execution of scripts in Command Prompt that download of .JAR files:

cmd.exe /c start /b C:\Users\Public\Documents\Protocol-Route-Manager\jdk-23.0.1\bin\javaw.exe -jar C:\Users\Public\Documents\Protocol-Route-Manager\Protocol-Route-Manager.jar 

cmd.exe /c start /b C:\Users\Public\Documents\RuleFix\jdk-23_windows-x64_bin\jdk-23\bin\javaw.exe -jar C:\Users\Public\Documents\RuleFix\RuleFix.jar 

The second command above includes the reference to a JAR file; this Java development application is malicious and has the following hash value: 

295c950c8a7c22060ebf2d2013da7009dbead28d0589ca03c93c78811e31d37c.  

Further analysis of this file was limited; however,.JAR or Java archive files can be used to embed additional payloads that may interact with far more platforms compared to portable executables given their compatibility with Java resources. Threat actors use JDK, Java Development Kit, to execute and modify relevant files from the JAR.

The MDR team also discovered a scheduled task following the download of the file named identity.jar:

“C:\Users\Public\Documents\Protocol-Route-Manager\identity.jar”

Threat Assessment and Attribution

Several social engineering campaigns that used Microsoft Teams and Quick Assist were examined. With the help of the Bitdefender MDR team, incidents were detected early in the attack cycle following download activity and reports from customers of unusual Teams correspondence. Despite the common misconception of attackers taking immediate action following initial access, there's often a delay before that access escalates to a breach of availability or integrity. This 'dwell time' provides experienced SOC/MDR teams with the opportunity to prevent unauthorized access from escalating further in the attack chain to data loss or even service disruptions. While evidence to attribute the incidents to one specific threat actor is limited, it is suspected that a ransomware group or cybercrime syndicate is behind these incidents based on the attack structure, scale, and potential dwell time.

The MDR team did not observe the use of ransomware in the social engineering campaigns. However, the events captured in the Initial Access and Persistence phases represent steps that threat actors typically complete to establish a foothold in a victim environment. These steps precede phases that make up broader, multi-stage campaigns that may take weeks or months to execute, including ransomware incidents. Therefore, ransomware activities such as data encryption, data exfiltration, and data leaks, have potential consequences that could impact an organization that is not able to detect the threat or identify an instance of unauthorized access.

Threat Groups Deploying Similar Campaigns

Black Basta is a Ransomware-as-a-Service (RaaS) group that has used Microsoft Teams and Quick Assist in their social engineering campaigns for several months. After the threat actor has access to a victim’s machine, they can execute malicious software, including RMM tools and ransomware on affected hosts. Black Basta has also devised ways to incorporate QR codes into their phishing operations that make use of MS Teams.

VEILDrive is a threat group that has exploited vulnerabilities and implemented not only Microsoft Teams and Quick Assist in their attacks but also OneDrive and SharePoint. Their use of Java components to develop payloads and OneDrive to engage in Command-and-Control activities has been reported amongst several outlets.

MDR Action, Signature Updates

Trojan.Agent.GMUC and Java.Trojan.Agent.SH are two viruses associated with a .JAR file that were present in the social engineering campaigns. Bitdefender MDR has the latest detection signatures for these viruses. Customers are advised to review their MDR update settings to ensure that their solution is current and using the latest signatures.

Recommendations 

While the MDR can identify malicious activities that occur after the attacker takes control of a system using Quick Assist, e.g., detecting the execution of a malicious downloader, or attempts to modify registry keys, it’s best to reduce the odds of the attacker accessing your environment. It is advised that organizations implement the following security practices to guard against phishing campaigns and security breaches:

• Restrict Permissions for external users in Microsoft Teams: In the Teams Admin Center, configure "External Access" to allow communication with specific domains, or turn it off completely if not necessary for business use. 

• Enable MDR monitoring of all systems

• Inform your Bitdefender MDR service of accepted RMM applications: This can help MDR investigate instances of suspicious activity. MDR customers can identify allowed applications through the MDR portal, along with pre-approved actions or other special instructions.

• Enable Multi-Factor Authentication (MFA): Enforce MFA for all Microsoft services, including Teams, to reduce the likelihood of unauthorized access. 

• Use spam filters: Implement spam filters in email systems to automatically filter out known phishing emails and malicious content and minimize false positives. Microsoft Office 365 users may have additional options with native Outlook security tools, depending on licensing.

• Monitor and Log Remote Access Activity: Implement enhanced monitoring to track remote access requests and identify unusual activity patterns.

• Establish a security awareness and training program to inform staff about cyber hygiene and the ways they can effectively report threats and minimize the likelihood of an event like a breach or compromise. 

We would like to thank Bitdefenders Joshua Armstrong and Sean Nikkel for their help in preparing this release.