The Intelligence Division of Microsoft has disclosed the detection of Storm-1811, a threat actor it monitors, leveraging the client management tool Quick Assist to target users through social engineering tactics.
“Storm-1811, a financially driven cybercriminal faction, has a history of deploying Black Basta ransomware,” detailed the company in a report released on May 15, 2024.
The assault trajectory encompasses impersonation via voice phishing to deceive unwary victims into installing remote monitoring and management (RMM) utilities, succeeded by the distribution of QakBot, Cobalt Strike, culminating in the deployment of Black Basta ransomware.
“Threat actors exploit Quick Assist functionalities to execute social engineering maneuvers, masquerading, for instance, as a trusted entity like Microsoft technical support or an IT specialist from the recipient’s organization to initiate initial infiltration into a target device,” elucidated the technology behemoth.
Quick Assist, an authentic application from Microsoft, facilitates users in sharing their Windows or macOS system with another individual via a remote connection, primarily for troubleshooting technical malfunctions. It comes pre-installed on devices operating on Windows 11.
To heighten the credibility of the assaults, the threat actors instigate link listing assaults, a variant of email flooding wherein the targeted email addresses are enlisted for numerous legitimate email subscription services, inundating their inboxes with subscribed content.
Subsequently, the adversary poses as the organization’s IT assistance squad via telephone conversations with the targeted user, professing to offer aid in mitigating the spam dilemma and providing them access to their device through Quick Assist.
“Upon user authorization for access and control, the threat actor executes a scripted cURL command to retrieve a sequence of batch files or ZIP files utilized for delivering malicious payloads,” detailed the Windows manufacturer.
“Storm-1811 capitalizes on their access to conduct further interactive activities such as domain scanning and lateral maneuvering. Storm-1811 then utilizes PsExec to distribute Black Basta ransomware across the network.”
Microsoft has affirmed its scrutiny of the misuse of Quick Assist in these assaults and its endeavor to integrate cautionary alerts within the software to alert users of potential tech support scams conducive to ransomware propagation.
The offensive, presumed to have commenced in mid-April 2024, has targeted an array of sectors and domains, including manufacturing, construction, food and beverage, and transportation, according to Rapid7, underscoring the opportunistic essence of the assaults.
“The minimal entry barriers to execute these assaults, coupled with the substantial ramifications they entail for the victims, perpetuate ransomware as a highly effective stratagem for threat actors pursuing financial gain,” remarked Robert Knapp, senior manager of incident response services at Rapid7, in a statement provided to The Hacker News.
Microsoft has also characterized Black Basta as a “proprietary ransomware offering” as opposed to a ransomware-as-a-service (RaaS) enterprise, which encompasses a network of core developers, affiliates, and initial access brokers orchestrating ransomware and extortion offensives.
“It is disseminated by a limited number of threat actors who typically rely on other threat actors for initial access, malevolent infrastructure, and malware development,” expounded the company.
“Since Black Basta’s inception in April 2022, Black Basta perpetrators have deployed the ransomware subsequent to gaining access via QakBot and other malware distributors, underscoring the imperative for organizations to focus on pre-ransomware deployment stages to mitigate the threat.”
Organizations are advised to obstruct or uninstall Quick Assist and analogous remote monitoring and management tools if not utilized, and to educate employees on identifying tech support scams.