Ransomware crew pose as Microsoft Teams IT support to steal logins and passwords

Cyber theft or Hybird Scam by hackers, scammers or call center gangs. Hacking security systems to steal digital assets or trick money transfers. Online business dangers. 3D rendering

(Image credit: Shutterstock)

Infamous cybercrime group Black Basta has enhanced one of its latest techniques for infiltrating organizations, gaining persistent access, and launching ransomware campaigns by involving Microsoft Teams.

The most recent technique is highly targeted, and involves using social engineering to 'spear-spam' an employee's email inbox with an overwhelming amount of junk, to the point where the inbox simply isn’t usable.

The attackers would then phone the employee and pretend to be the organization’s IT helpdesk, offering assistance with the spam affecting the video conferencing platform.

Spear-spam

While ‘helping’ the employee, the attackers will gain control of the victim’s device by installing the AnyDesk remote desktop software, or by launching the Windows Quick Assist tool, before deploying payloads that infect the device with ScreenConnect, NetSupport Manager, and Cobalt Strike. Through these payloads, the attackers would launch their typical ransomware attack.

However, in Black Basta’s latest twist to this technique, the group will instead contact the employee through Microsoft Teams using an external account set up to mimic the organization’s IT helpdesk using Entra ID tenants that appear legitimate if only glanced at. On further inspection however, they are clearly fake.

ReliaQuest, who observed the shift in tactic earlier this month, explained that Black Basta were using tenants appended with “*.onmicrosoft.com” such as “securityadminhelper.onmicrosoft[.]com” or

“Supportserviceadmin.onmicrosoft[.]com”. The attackers would also use the screen name “Help Desk” positioned to the center of the chat using whitespace characters, and added to a “OneOnOne” chat. The attackers would then continue with the attack, deploying payloads within files named “AntispamAccount.exe,” “AntispamUpdate.exe,” or “AntispamConnectUS.exe.”

ReliaQuest also observed a significant proportion of the fake Teams accounts originating from Russia, with many having time zone data mapped to Moscow. ReliaQuest recommends that system administrators and security pros set Microsoft Teams chats from external accounts to trusted domains only, and chat logging should be enabled.

Black Basta has been blamed for over 500 ransomware attacks worldwide, and has established itself as one of the most prolific ransomware-as-a-service providers. The group emerged early in 2022, and is likely composed of fragments of the Conti ransomware group that collapsed in the same year.

More from TechRadar Pro

Take a look at the best malware removal
The evolution of cybercrime: How ransomware became the weapon of choice
These are the best password managers

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.