Russian ransomware hackers increasingly posing as tech support on Microsoft Teams

Russian cybercriminals are adopting a scam in which they pose as tech support on Microsoft Teams to convince victims they have an IT issue before tricking employees into allowing them to install ransomware on the targets’ computer networks.

British cybersecurity company Sophos reported on Thursday to have seen more than 15 incidents in which two separate groups used Microsoft Office 365’s default service settings to socially engineer their way onto a victim’s system.

The company’s report finds an overlap between one of these attackers and a group tracked under the name Storm-1811, previously identified by Microsoft as conducting these kinds of scams. The other group, which appears to be copying the Storm-1811 playbook, has possible connections to a cybercrime group tracked as FIN7.

Sean Gallagher, principal threat researcher at Sophos X-Ops, told Recorded Future News that the new campaigns were uncovered after the team was “researching some BeaverTail cases, some actual nation-state stuff going on, with North Korea.”

BeaverTail is a type of malware that has been used by hackers linked to North Korea, where the threat actors pretend to be recruiters on job search platforms before getting victims to download malware, often to drain any cryptocurrency wallets associated with their devices.

“From the first second I looked at the report, I said ‘No, this is something totally different,’” said Gallagher, noting that there were a range of details that didn’t match the North Korean modus operandi, including the victimology and the type of malware deployed.

“A customer had two employees that had received a very large volume of email in a very short period of time. [One of them] was working from home, it was U.S. election day, and they suddenly got all these emails, and then they received a Teams call from someone claiming to be their help desk manager. And that was how it started,” said Gallagher.

“Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users,” explained the Sophos report.

‘They don’t pay attention’

In a couple of cases the Teams communication was a voice call, “in others it’s been a video call,” said Gallagher, but the victims themselves weren’t paying particular attention to who was calling or where from, mostly believing that the calls were from a legitimate outsourced support provider.

“You know, when you’re in the middle of receiving 3,000 emails in half an hour, and especially with organizations that have outsourced their IT support, they don’t pay attention to who they’re talking to, they think ‘Oh, this makes sense, it’s my outsourced IT,’ right? So we didn’t get any artists’ sketches!”

Alongside these social engineering approaches, the fake support staff were also sending text messages on the Teams chat function, often including links to things that the adversary would use one they tricked the victim into providing them with remote control — often using Microsoft’s own tools, either QuickAssist (for the Storm-1811 crew) or directly through Teams screen share (for the group with links to FIN7).

“We didn’t pick up a lot of details about the threat actor from our Microsoft Office 365 integration,” said Gallagher. “We got the account name and we got the remote IP address. The remote IP address was in Russia.”

Of the more than 15 incidents, Gallagher said Sophos was able to protect the majority of them: “There was one that was not one of our managed detection responses customers, who was just a Sophos endpoint customer, who had data exfiltration but ransomware did not execute.”

During the case on U.S. Election Day, after the fake support staff had instructed the employee to allow a remote screen control session, the attacker used it to open a command shell,drop files and execute malware, with the files including a Java archive (JAR) and a .zip archive containing Python code copying obfuscation methods previously seen being used by FIN7.

Sophos cautions however that the obfuscation method itself is based on publicly available code, and that FIN7 is known to have sold tools to other cybercriminals.

In another group of actions, the hackers operated differently during the fake support chat and once they had access to the victim’s device — relying “much more on ‘hands-on- keyboard’ actions and scripted commands” that were being launched directly by the hackers, something that more directly overlapped with what Microsoft had described when reporting on Storm-1811.

Sophos states that “unless absolutely necessary, organizations should ensure that their Office 365 service provisions restrict Teams calls from outside organizations or restrict that capability to trusted business partners,” as well as restricting remote access applications by policy.