Attackers are using ads for fake Microsoft Teams updates to deploy ‘backdoors’, which use Cobalt Strike to infect companies’ networks with malware.
Microsoft warns that cyber-criminals are using Cobalt Strike to infect entire networks beyond the infection point, says a report.
Microsoft is warning customers about the so-called “Fake Updates” campaigns in a non-public security advisory, according to a report in Bleeping Computer.
This campaign is targeting various types of companies, with recent targets in the K-12 education sector, where organisations are currently dependent on using apps like Teams for video-conferencing due to COVID-19 restrictions.
Commodity Attack-Simulation Tool
Cobalt Strike is a commodity attack-simulation tool that is used by attackers to spread malware, especially ransomware. Lately, threat players were seen using Cobalt Strike in attacks exploiting Zerologon, a privilege-elevation flaw that allows attackers to access a domain controller & completely compromise all Active Directory identity services.
In their advisory, Microsoft explained that it is seen attackers in the latest Fake Updates campaign using search-engine ads to push top results for Teams software to a domain that they control & use for malicious activity, according to the report.
If victims click on the link, it downloads a payload that executes a PowerShell script, which loads malicious content.
Cobalt Strike ‘beacons’ are among the payloads also being distributed by the campaign, which give threat players the capability to move ‘laterally’ across a network beyond the initial system of infection, according to the report.
The link also installs a valid copy of Microsoft Teams on the system to appear legitimate & avoid alerting victims to the attack.
Malware being distributed by the campaign include Predator the Thief infostealer, which takes sensitive data such as credentials, browser & payment data, outlined the advisory. Microsoft also has noted Bladabindi (NJRat) backdoor & ZLoader stealer being distributed by the latest campaigns, according to the report.
Additionally, to the Fake Updates campaigns that use Microsoft Teams lures, Microsoft also has seen similar attack patterns in at least 6 other campaigns with variations of this theme, suggesting a broader attack by the same threat players, stated the report.
In another case, attackers used the IP Logger URL shortening service, Microsoft warned.
Microsoft offered some mitigation methods for the latest generation of Fake Updates attacks. They recommend that people use web browsers that can filter & block malicious websites & ensure that local admin passwords are very strong & cannot easily be guessed.
Admin privileges also should be limited to essential users & avoid domain-wide service accounts that have the same permissions as an administrator, states the report.