Cybercriminals who have been using the Black Basta ransomware have been observed abusing the remote management tool Quick Assist in vishing (voice phishing) attacks, Microsoft reports.
Active since 2022 and believed to have hit over 500 organizations globally, Black Basta is a ransomware-as-a-service (RaaS) that likely received over $100 million in ransom payments from its victims.
Last week, the US government warned of Black Basta affiliates targeting numerous critical infrastructure organizations in North America, Europe, and Australia, including healthcare entities, and using social engineering and the exploitation of known vulnerabilities for initial access.
Starting mid-April 2024, the Black Basta threat actors have been observed conducting vishing attacks in which they impersonate IT or help desk personnel to convince victims to install legitimate remote monitoring and management tools that are then abused for malware deployment.
According to Microsoft, the threat actors were seen installing tools such as ScreenConnect and NetSupport Manager, which were followed by the deployment of Qakbot, Cobalt Strike, and Black Basta ransomware.
The attacks started with Black Basta threat actors signing up the victim’s email address to multiple email subscription services to flood their inbox, and then impersonating IT support in phone calls allegedly meant to help the targeted individual resolve the issue.
During the phone call, the attackers convinced the victim to provide access to their device through Quick Assist, a Microsoft application that allows users to share their devices via a remote connection, providing the remote party with the ability to view the display or take full control, typically for troubleshooting.
“Threat actors misuse Quick Assist features to perform social engineering attacks by pretending, for example, to be a trusted contact like Microsoft technical support or an IT professional from the target user’s company to gain initial access to a target device,” Microsoft explains.
Once the user enabled screen sharing through Quick Assist, the attacker requested full control over the device and, after the user approved it, executed a command to deploy the malicious payloads, including batch scripts that install fake spam filters that requested the victim’s credentials.
In some of the observed attacks, Qakbot was deployed on the victim’s system to deliver a Cobalt Strike implant attributed to the Black Basta threat actors.
Furthermore, the attackers used ScreenConnect to gain persistence and move laterally, and followed up with hands-on-keyboard activities, including domain enumeration and the deployment of ransomware across the network, using PsExec.
Microsoft says it will help mitigate the abuse of Quick Assist in malicious attacks by incorporating alerts to inform users of possible tech support scams.
