Fake Microsoft Teams Updates Hide Cobalt Strike

Saturday, November 14th, 2020 | , ,

Since the rise of the COVID-19 pandemic, many organizations have begun to utilize Microsoft Teams and other messaging platforms to coordinate their ‘work-at-home’ employees and Microsoft has begun to warn its customers of the so-called ‘FakeUpdates’ campaign. The campaign is targeting a multitude of companies, with recent targets being in the K-12 education sector. Microsoft warns that attackers are using ads for fake Microsoft Teams updates to deploy backdoors, which use Cobalt Strike to infect companies’ networks with malware. ‘Cobalt Strike’ is a commodity attack-simulation tool that is used by attackers to spread malware, with most using it to distribute ransomware. In more recent news, threat actors were seen using Cobalt Strike in attacks exploiting ‘Zerologon’, a privilege-escalation flaw that allows attackers to access a domain controller and completely compromise all Active Directory identity services.

In their advisory, Microsoft warns that it’s seen attackers in the latest FakeUpdates campaign using search-engine ads to push top results for Teams software to a domain that they control and use for nefarious activity. If a victim clicks on the link, it downloads a payload that executes a PowerShell script, which is then used to load malicious content. Cobalt Strike beacons (which is when an infected machine communicates to the attacker, usually through a command and control (C&C) server, signaling that the infected computer is now available and listening for further commands or instructions), are among the payloads being distributed by the FakeUpdates campaign, which gives threat actors the capabaility to move laterally across a network. The link also installs a valid copy of Microsoft Teams on the system in an effort to appear legitimate and avoid alerting victims to the attacks.

Malware being distributed by the campaign include Predator the Thief infostealer, which pilfers sensitive data such as credentials, browser and payment data, according to the advisory. Microsoft also has seen Bladabindi (NJRat) backdoor and ZLoader stealer being distributed by the latest campaigns, according to their report.

Microsoft has offered several mitigation techniques for the latest wave of FakeUpdates attacks. The company is recommending that people use web browsers that can filter and block malicious websites and ensure that local admin passwords are strong and can’t easily be guessed. Admin privileges also should be limited to essential users and avoid domain-wide service accounts that have the same permissions as an administrator, according to the report. Organizations also can limit their attack surface to keep attackers at bay by blocking executable files that do not meet specific criteria or blocking JavaScript and VBScript code from downloading executable content, Microsoft advised.


Share this: