← All stories
● Covered by 1 source Β· 1 reportHigh impact

EtherRAT malware spreads via fake IT support calls on Microsoft Teams

Aggregated by BrevFeed security Β· updated 2h ago
πŸ”– Save

Threat actors are using Microsoft Teams to impersonate IT support and deliver EtherRAT malware to corporate networks. This strategy combines phishing emails and remote access tools to compromise systems and gain control.

Key points

Overview of the Attack Methodology

Threat actors are exploiting Microsoft Teams voice calls to impersonate IT support personnel, tricking employees into installing the EtherRAT malware. The campaign reportedly employs a combination of phishing emails, which include lures such as 'Employee Survey', and voice calls from external accounts posing as corporate IT staff.

Utilization of Phishing Techniques

The attack begins with a phishing email featuring a malicious PDF attachment. When the victim opens the document, they receive a follow-up Teams call labeled as 'External unfamiliar', indicating the caller is from a different Microsoft 365 tenant.

Remote Access and Malware Deployment

The attacker then convinces the victim to enable remote control through Teams' screen-sharing capabilities, guiding them to install legitimate remote-access tools like HopToDesk and AnyDesk. Once remote access is established, the attacker downloads and executes a malicious MSI installer, which serves as a malware loader for EtherRAT.

About EtherRAT

EtherRAT is a Node.js-based remote access trojan that gives attackers control over infected systems, allowing them to execute commands, manipulate files, and steal data. Its design incorporates Ethereum smart contracts to manage its command-and-control operations, complicating efforts to mitigate its impact.

Continued Development of the Malware Campaign

Unit 42 researchers noted an open directory containing multiple EtherRAT associated installers, indicating ongoing development of this malware campaign. The presence of such resources showcases the threat actors' persistent evolution in tactics, utilizing Teams as a vector for corporate infiltration.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

GitHub PaloAltoNetworks/Unit42-timely-threat-intel

Reporting from

Threat actors are using Microsoft Teams to impersonate IT support and deliver EtherRAT malware to corporate networks. This strategy combines phishing emails and remote access tools to compromise systems and gain control.