- Trend Micro says that hackers use Microsoft teams to get closer to their victims
- Thanks to social engineering, they obtain identification information in remote office solutions
- This access is then used to lower advanced derivations
Pirates use advanced social engineering tactics to try to obtain defective .dll files on computers from people who, in turn, would allow them to drop malware.
A new report by researchers in micro trendy cybersecurity claims that the new attack begins in Microsoft teams, where crooks use identity theft to get closer to the victims and encourage them to provide a certain set of references. Thanks to fast assistance or similar remote desktop tools, they have access to the devices, where they are at the key of defective .DLL files using oneedrivestandaloneupdater.exe, a legitimate ONEDrive update tool.
These .DLL files then allow them to abandon BackConnect, a type of remote access tool (RAT) which establishes an inverted connection of an infected device to the server of an attacker, by bypassing the firewall restrictions. This allows attackers to maintain persistent access, execute orders and exfiltrate data while escaping traditional security measures.
Commercial cloud solutions
BackConnect is apparently hosted and distributed, using commercial cloud storage tools.
Trend Micro says that attacks began in October 2024 and mainly focused on North America, where it observed 21 violations-17 in the United States, five in Canada and the United Kingdom and 18 in Europe. The researchers did not say if the attacks had succeeded or which industries they were targeting the most.
Since most of the tools used in this campaign are legitimate (teams, lativestandaloneupdater, rapid assistance), traditional antivirus protection services or malware will not be enough. Instead, companies must educate their employees to identify social engineering attacks and report them in a timely manner. Companies could also apply the use of multi-factory authentication (MFA) and limit access to remote desktop tools.
Finally, they should audit cloud storage configurations to avoid unauthorized access and monitor network traffic for suspicious connections, in particular those that go to known C2 servers.
Via infoscurity magazine
