Hackers Exploit Microsoft Teams and Quick Assist for Ransomware Attacks

Cybersecurity experts have raised alarms over a surge in ransomware attacks exploiting Microsoft Teams and Quick Assist to infiltrate corporate networks, with cybercriminals amassing over $107 million in Bitcoin ransoms since October 2024.

Investigations by Trend Micro’s Managed XDR and Incident Response teams uncovered that the Black Basta and Cactus ransomware groups are using a shared BackConnect malware variant (QBACKCONNECT) to gain persistent access to targeted systems. The attack strategy combines social engineering, legitimate tool abuse, and cloud infrastructure exploitation to bypass security defenses.

How the Attacks Work

The attack begins with a flood of emails to overwhelm victims’ inboxes, followed by cybercriminals impersonating IT support staff via Microsoft Teams using spoofed accounts like admin_52351@brautomacao565[.]onmicrosoft[.]com. Victims are tricked into granting remote access through Microsoft’s Quick Assist, giving hackers full control of their devices.

Once inside the system, attackers download malicious .bpx files from compromised cloud storage, which are extracted to deploy dangerous DLLs and executables in OneDrive directories. The ransomware operators further exploit OneDriveStandaloneUpdater.exe, a legitimate Microsoft binary, to sideload a malicious winhttp.dll file, which activates the BackConnect malware and establishes persistent command-and-control (C2) access.

Trend Micro’s analysis links the C2 infrastructure to Black Basta, with IP addresses such as 38.180.25[.]3 recorded in registry keys.

Cactus Ransomware Targets VMware ESXi Servers

The Cactus ransomware group, reportedly made up of former Black Basta members, uses similar tactics but escalates attacks by targeting VMware ESXi hypervisors. Their malware variant socks.out (a SystemBC derivative) disables ESXi security settings, allowing ransomware binaries to execute freely.

Firewall logs from recent attacks also indicate suspicious file transfers via WinSCP to the domain pumpkinrab[.]com, with its IP address 208.115.200[.]146 registered just days before the breach.

Mitigation Strategies

To combat these evolving threats, Trend Micro recommends:

• Restricting Quick Assist: Disable unauthorized remote access tools and enforce multi-factor authentication (MFA) for IT support requests.
• Monitoring Microsoft Teams Activity: Apply Microsoft’s security best practices and scrutinize Teams messages as rigorously as email.
• Blocking Malicious IPs: Blacklist command-and-control (C2) addresses such as 45.8.157[.]199 and 5.181.3[.]164.
• Detecting DLL Sideloading: Use Trend Vision One queries (e.g., eventSubId: 603 AND (request:filters.s3.us-east-)) to track suspicious file activities.

With Black Basta’s future uncertain following recent data leaks and Cactus ransomware gaining traction, security experts stress the need for Zero Trust policies and behavior-driven cybersecurity training to defend against social engineering and “living-off-the-land” attack techniques.