A cybercrime gang has been utilizing Microsoft’s Quick Assist application in social engineering attacks, leading to the infection of victims with Black Basta ransomware. This ongoing campaign, which began in mid-April, has been attributed to a financially motivated group known as Storm-1811, as reported by Microsoft.
Quick Assist, a software tool integrated into Windows 11, allows users to share their computer with a remote user for assistance or control. However, scammers have been exploiting this feature by posing as tech support and tricking individuals into granting them full access to their devices.
In response to these attacks, Microsoft is investigating the misuse of Quick Assist and working on enhancing transparency and trust between users. The company also plans to incorporate warning messages in Quick Assist to alert users about potential tech support scams, according to a recent alert from Microsoft.
To mitigate the risk of such social engineering attacks, organizations are advised to disable or uninstall Quick Assist and other remote management tools if they are not actively using them. Microsoft has provided a list of indicators of compromise and threat-hunting queries that customers can use to detect malicious activity on their networks.
The modus operandi of Storm-1811 involves impersonating IT support through voice phishing to convince users to grant access to their computers via Quick Assist. This is often initiated through spam emails or direct contact offering assistance with purported technical issues. Once access is granted, the attacker provides a security code that allows them to gain full control of the targeted device.
Once in control, Storm-1811 deploys malicious payloads and remote monitoring and management (RMM) software, including tools like Qakbot, ScreenConnect, NetSupport Manager, and Cobalt Strike. This persistent access enables the attackers to move laterally within the victim’s network and distribute Black Basta ransomware using PsExec.
Microsoft has not disclosed the exact number of customers affected by these attacks but has urged vigilance and recommended proactive measures to prevent falling victim to such cybercrime schemes. By raising awareness and implementing security protocols, organizations can better protect themselves from social engineering attacks leveraging tools like Quick Assist.