Cybercriminals Exploiting Microsoft's Quick Assist Feature in Ransomware Attacks

The Microsoft Threat Intelligence team has reported observing a threat dubbed Storm-1811, which is exploiting the client management tool Quick Assist to launch social engineering attacks on users.

In a report released on May 15, 2024, the company stated, "Storm-1811 is a financially motivated cybercriminal group known for deploying the Black Basta ransomware."

The attack strategy involves impersonation through voice phishing to deceive unsuspecting victims into installing remote monitoring and management (RMM) tools. This is followed by the distribution of QakBot, Cobalt Strike, and ultimately, the Black Basta ransomware.

"Threat actors exploit Quick Assist features to execute social engineering attacks, posing, for instance, as a trusted contact such as Microsoft technical support or an IT professional from the target user's company to gain initial access to a target device," the tech giant explained.

Quick Assist is a legitimate application from Microsoft designed to allow users to share their Windows or macOS device with another person via a remote connection, primarily for troubleshooting technical issues. It comes pre-installed on devices running Windows 11.

To enhance the credibility of their attacks, threat actors conduct link listing attacks, a form of email bombing attack wherein the targeted email addresses are signed up for various legitimate email subscription services, inundating their inboxes with subscribed content.

The adversary then poses as the company's IT support team through phone calls to the target user, offering assistance in resolving the spam issue and gaining access to their device through Quick Assist.

"After the user grants access and control, the threat actor executes a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads," Microsoft reported.

"Storm-1811 exploits this access to conduct further hands-on-keyboard activities such as domain enumeration and lateral movement. They then use PsExec to deploy the Black Basta ransomware across the network."

Microsoft has announced it is closely monitoring the misuse of Quick Assist in these attacks and is working on integrating warning messages into the software to alert users to potential tech support scams that could facilitate ransomware delivery.

The campaign, which is believed to have begun in mid-April 2024, has targeted various industries and sectors, including manufacturing, construction, food & beverage, and transportation, according to Rapid7, indicating the opportunistic nature of the attacks.

"The ease of conducting these attacks, combined with the significant impact they have on their victims, continues to make ransomware a highly effective means for threat actors seeking financial gain," said Robert Knapp, senior manager of incident response services at Rapid7, in a statement provided to The Hacker News.

Microsoft has also described Black Basta as a "closed ransomware offering" rather than a ransomware-as-a-service (RaaS) operation. It is distributed by a small number of threat actors who typically rely on other threat actors for initial access, malicious infrastructure, and malware development.

"Since its appearance in April 2022, Black Basta attackers have deployed the ransomware after gaining access through QakBot and other malware distributors, underscoring the importance for organizations to focus on attack stages prior to ransomware deployment to mitigate the threat."

Organizations are advised to block or uninstall Quick Assist and similar remote monitoring and management tools if not in use, and to educate employees to identify tech support scams.