Microsoft’s Quick Assist Function Targeted by Cybercriminals in Ransomware Attacks

Microsoft's Quick Assist Function Targeted by Cybercriminals

Microsoft’s Quick Assist Function Targeted by Cybercriminals in Ransomware Attacks

A threat actor it monitors under the alias Storm-1811 has been observed by the Microsoft Threat Intelligence team exploiting the client management tool Quick Assist to conduct social engineering attacks against users.

“Storm-1811 is a monetary-driven cybercriminal group infamous for deploying the Black Basta ransomware,” the organization stated in a May 15, 2024 report.

Unsuspecting victims are duped into deploying remote monitoring and management (RMM) tools via voice phishing impersonation, which is followed by the distribution of QakBot, Cobalt Strike, and Black Basta ransomware.

“Malicious intruders exploit Quick Assist functions to carry out social engineering attacks by pretending, for example, to be an authorized representative like Microsoft technical support or an IT professional from the target user’s organization in order to obtain initial access to a target device,” according to the technology company.

Quick Assist is an authentic Microsoft application that allows users to remotely connect to another individual’s Windows or macOS device in order to assist them in troubleshooting system-related issues. It is pre-installed on devices operating Windows 11.

In order to bolster the credibility of the attacks, the threat actors execute link listing attacks, which are a form of email bombardment attack wherein the inboxes of the targeted email addresses are flooded with subscribed content from various legitimate email subscription services.

The assailant then contacts the target user via phone calls while posing as the organization’s IT support staff. During these calls, the adversary claims to be able to assist the user in resolving the spam issue and authorize access to their device via Quick Assist.

“Once the user permits accessibility and authority, the attacker launches a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads,” the manufacturer of Windows stated.

“Storm-1811 takes advantage of their access to conduct additional manual keyboard operations, including domain enumeration and lateral movement.”  Storm-1811 then deploys the Black Basta ransomware across the network using PsExec.

Microsoft has expressed its intention to closely examine the improper utilization of Quick Assist in these attacks and is developing alert messages to provide users with prior notice regarding potential tech support schemes that may aid in the distribution of ransomware.

Rapid7 stated that the campaign, which is thought to have started around mid-April 2024, has targeted numerous verticals and industries, including construction, food and beverage, transportation, and manufacturing, indicating the opportunistic nature of the attacks.

Rapid7 senior manager of incident response services Robert Knapp said in a statement to News4Hackers, “The low barrier to entry into conducting these attacks, coupled with the significant impacts these attacks have on their victims, continue to make ransomware a very effective means to an end for threat actors seeking a payday.”

Microsoft has additionally characterized Black Basta as a “closed ransomware offering” in contrast to a ransomware-as-a-service (RaaS) operation comprising initial access brokers, core developers, and affiliates who execute ransomware and extortion campaigns.

It is currently “distributed by a small number of threat actors who typically rely on other threat actors for initial access, malicious infrastructure, and malware development,” according to the organization.

“Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from QakBot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat.”

It is advisable for organizations to block or deactivate remote monitoring and management tools such as Quick Assist when they are not in use, and to provide employee training on how to identify tech support scams.

one year cyber security diploma course

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security.


Google Patches Another Zero-Day Vulnerability in Chrome That Has Been Regularly Exploited

Apple & Google’s Cross-Platform Feature Easing Detecting Unwanted Bluetooth Tracking Devices

Malicious Google Ads Used By FIN7 to Deliver NetSupport RAT

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?