Unauthorized IT Attacks Target Microsoft Teams under False Pretenses
In a recent development, cybersecurity investigators have attributed a series of phishing campaigns to a group known as EncryptHub. This group, also known as LARVA-208 or Water Gamayun, has demonstrated a keen interest in targeting English-speaking IT staff, developers, and Web3 professionals.
The modus operandi of EncryptHub involves the use of Microsoft Teams, a platform that has become deeply embedded in enterprise communication. By infiltrating this trusted platform, the threat actors create fake IT support accounts, often impersonating support staff with names like "IT SUPPORT," "Help Desk," or department-based aliases. These accounts may even feature checkmark emojis to appear verified.
Once these accounts are established, the attackers initiate contact with employees, pushing them to download remote access tools such as QuickAssist or AnyDesk. Once these tools are installed, threat actors can take full control of the system, deploy malware for stealing credentials, and establish persistence to maintain long-term access.
EncryptHub's operations have been linked to various ransomware operations, including BlackBasta, DarkGate, and the Matanbuchus loader. However, the exact threat actor organization responsible for these Microsoft Teams phishing and malware distribution campaigns has not been explicitly disclosed in the sources.
The phishing attacks over Microsoft Teams distributing DarkGate malware were initially discovered by AT&T Cybersecurity. Similarly, other Microsoft Teams-related malware campaigns, like those using the Matanbuchus loader, have been reported by security researchers, but the attackers' groups remain unnamed.
To combat these threats, security teams are urged to monitor for unusual Teams activity, especially external communications that could conceal social engineering attempts. It is essential to remain vigilant and ensure that all employees are aware of the potential risks associated with unsolicited IT support requests, even if they appear to come from verified sources.
Moreover, EncryptHub has demonstrated capabilities for persistence, credential theft, and encrypted communication with attacker-controlled servers, as shown by a PowerShell script downloaded from a malicious domain. This underscores the need for robust security measures and regular updates to protect against such threats.
By using Microsoft Teams, attackers are bypassing traditional email defenses and embedding their operations within trusted corporate workflows. It is crucial for organisations to stay informed about these threats and adopt appropriate security measures to safeguard their systems and data.
