Fake Microsoft Teams Updates Hide Cobalt Strike
Since the rise of the COVID-19 pandemic, many organizations have begun to utilize Microsoft Teams and other messaging platforms to coordinate their ‘work-at-home’ employees and Microsoft has begun to warn its customers of the so-called ‘FakeUpdates’ campaign. The campaign is targeting a multitude of companies, with recent targets being in the K-12 education sector. Microsoft warns that attackers are using ads for fake Microsoft Teams updates to deploy backdoors, which use Cobalt Strike to infect companies’ networks with malware. ‘Cobalt Strike’ is a commodity attack-simulation tool that is used by attackers to spread malware, with most using it to distribute ransomware. In more recent news, threat actors were seen using Cobalt Strike in attacks exploiting ‘Zerologon’, a privilege-escalation flaw that allows attackers to access a domain controller and completely compromise all Active Directory identity services.
In their advisory, Microsoft warns that it’s seen attackers in the latest FakeUpdates campaign using search-engine ads to push top results for Teams software to a domain that they control and use for nefarious activity. If a victim clicks on the link, it downloads a payload that executes a PowerShell script, which is then used to load malicious content. Cobalt Strike beacons (which is when an infected machine communicates to the attacker, usually through a command and control (C&C) server, signaling that the infected computer is now available and listening for further commands or instructions), are among the payloads being distributed by the FakeUpdates campaign, which gives threat actors the capabaility to move laterally across a network. The link also installs a valid copy of Microsoft Teams on the system in an effort to appear legitimate and avoid alerting victims to the attacks.
Malware being distributed by the campaign include Predator the Thief infostealer, which pilfers sensitive data such as credentials, browser and payment data, according to the advisory. Microsoft also has seen Bladabindi (NJRat) backdoor and ZLoader stealer being distributed by the latest campaigns, according to their report.