Cybercriminals Exploit Remote Access Technologies in New Tech Support Scam
Cybersecurity experts at Trend Micro have raised alarms about a sophisticated scam in which cybercriminals impersonate tech support agents to gain illicit access to victims’ computers. This threat extends beyond traditional spam emails; attackers are utilizing a barrage of emails and direct outreach via Microsoft Teams to deceive individuals into granting them access. Once infiltration occurs, the attackers deploy ransomware from notorious groups such as Black Basta and Cactus.
The scam unfolds when targets experience a surge of unsolicited emails. Shortly thereafter, they receive communication from an individual claiming to represent their IT department, either through Microsoft Teams or a phone call. This purported “technical support” person persuades the victim to allow remote access to their machine by leveraging Microsoft’s Quick Assist tool, which is a legitimate program designed for remote troubleshooting.
After securing access, the attackers initiate the download of files that initially appear innocuous but are later repurposed to install a backdoor known as BackConnect. Concealed within OneDrive, this backdoor enables the crime syndicate to exercise extensive control over the compromised system.
Previously, the Black Basta group garnered attention in December 2024 for employing similar tactics, specifically targeting Microsoft Teams users through an aggressive email bombardment. Their operations at that time involved deploying Zbot and DarkGate malware. However, Trend Micro’s recent analysis indicates that the current incidents are closely tied to BackConnect malware and the Black Basta ransomware operation, which reportedly extorted over $100 million from victims in 2023. There are indications that some members may have transitioned to the Cactus ransomware group, as recent methodologies employed by Cactus bear a striking resemblance.
Since October 2024, these attacks have intensified, primarily affecting organizations across North America, with the United States bearing the brunt. The manufacturing sector has emerged as a prominent target, with finance, investment consulting, and real estate sectors also frequently victimized by Black Basta.
Some incidents have revealed that post-infiltration, attackers have adopted advanced techniques to propagate through networks, specifically aiming at specialized systems like ESXi hosts that run virtual machines. They utilize tools such as WinSCP for file transfers and have been observed preparing to encrypt files before being thwarted. Leaked communications from within Black Basta illustrate the group’s recognition of security tools—such as those by Trend Micro—as significant obstacles, further emphasizing their intent to bypass such defenses.
What significantly enhances the effectiveness of these attacks is not merely the technical complexity of the tools employed, but the psychological manipulation of the victims. By marrying social engineering tactics with the legitimate use of software and cloud services, these criminals disguise their malicious intentions as normal operational activities. This highlights a critical aspect of cybersecurity: awareness and understanding of deception techniques are as vital as having robust technological defenses.
For Microsoft Teams users, it is advisable to remain vigilant in the face of suspicious email influxes. Engaging your system administrator to ensure the blocking of these malicious emails and conducting regular device scans is essential. Any unsolicited communication from unknown individuals claiming to provide technical assistance should be promptly reported to your cybersecurity team. Remember, if support is solicited without prior inquiry, the real origin of the problem may indeed lie with the ‘helper.’
In this evolving landscape of cyber threats, ongoing vigilance and proactive response strategies are indispensable for any organization seeking to safeguard its digital assets.
