Threat actors are using Microsoft Teams to impersonate IT support and deliver EtherRAT malware to corporate networks. This strategy combines phishing emails and remote access tools to compromise systems and gain control.
Threat actors are exploiting Microsoft Teams voice calls to impersonate IT support personnel, tricking employees into installing the EtherRAT malware. The campaign reportedly employs a combination of phishing emails, which include lures such as 'Employee Survey', and voice calls from external accounts posing as corporate IT staff.
The attack begins with a phishing email featuring a malicious PDF attachment. When the victim opens the document, they receive a follow-up Teams call labeled as 'External unfamiliar', indicating the caller is from a different Microsoft 365 tenant.
The attacker then convinces the victim to enable remote control through Teams' screen-sharing capabilities, guiding them to install legitimate remote-access tools like HopToDesk and AnyDesk. Once remote access is established, the attacker downloads and executes a malicious MSI installer, which serves as a malware loader for EtherRAT.
EtherRAT is a Node.js-based remote access trojan that gives attackers control over infected systems, allowing them to execute commands, manipulate files, and steal data. Its design incorporates Ethereum smart contracts to manage its command-and-control operations, complicating efforts to mitigate its impact.
Unit 42 researchers noted an open directory containing multiple EtherRAT associated installers, indicating ongoing development of this malware campaign. The presence of such resources showcases the threat actors' persistent evolution in tactics, utilizing Teams as a vector for corporate infiltration.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Threat actors are using Microsoft Teams to impersonate IT support and deliver EtherRAT malware to corporate networks. This strategy combines phishing emails and remote access tools to compromise systems and gain control.