A financially motivated threat actor, known as Storm-1811, has been using a clever technical support scam to infect Windows users with Black Basta malware since as early as mid-April 2024. The attack begins with Storm-1811 signing up the target’s email address to various email subscription services that promptly begin bombarding the target’s inbox.
Storm-1811 then calls the target, pretending to be a member of Microsoft or the target company’s technical support, and offers to help fix the recent spam issues they’ve been experiencing.
During the call, Storm-1811 fools the target into providing access to the Windows device by opening Quick Assist, a remote screen-sharing tool native to Windows. After gaining access via Quick Assist, Storm-1811 downloads multiple batch and/or ZIP files to deliver malicious payloads such as Qakbot and Cobalt Strike, as well as additional remote monitoring and management tools such as ScreenConnect and NetSupport Manager.
Once these tools are installed, Storm-1811 harvests the victim’s credentials, conducts domain enumeration, moves laterally through the network, and ultimately installs Black Basta ransomware.
Identify, measure, and reduce your risk with a personalized attack surface report.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
Try it free
Microsoft is advising network defenders to block or uninstall Quick Assist and other unnecessary remote monitoring and management tools and train employees to recognize technical support scams.
Source: Bleeping Computer
Analysis
While the campaign may not be technically sophisticated, it does demonstrate that Storm-1811 has the high level of confidence and language skills required to socially engineer targets into installing malicious tools on their devices via unsolicited telephone calls. It also shows that network defenders still have their work cut out when training users to recognize cyber threats, regardless of their form.
Black Basta was recently in the news as the potential variant of ransomware behind an attack that disrupted the operations of a U.S.-based healthcare provider. While Black Basta has not claimed credit for the attack publicly, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a #StopRansomware profile on Black Basta that indicated the group had encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health sector.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for threats from advanced cyber actors such as Storm-1811. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when malicious activities associated with these groups are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect MDR Portal.
To mitigate the risks of social engineering, organizations should train employees to watch for and understand the tricks attackers use, spot and avoid potential phishing links and other scams, and flag requests for personal information or credentials.
Related Articles