Ransomware operation BlackBasta has moved its social engineering attacks to Microsoft Teams, posing as corporate help desks contacting employees to help them with an ongoing spam attack.

Black Basta is a ransomware operation active from April 2022 and responsible for hundreds of attacks against corporations worldwide.

After the Conti cybercrime syndicate shut down in June 2022 following a series of embarrassing data breachesOPERATION divided into several groupswith one of these factions believed to be Black Basta.

Black Basta members enter the networks through various methods including vulnerabilities, partnership want malware botnetsand social engineering.

In May, Fast7 and ReliaQuest released notices of a new Black Basta social engineering campaign that flooded the inboxes of targeted employees with thousands of emails. These emails were not malicious in nature, mainly consisting of newsletters, sign-up confirmations and email verifications, but they quickly overwhelmed a user’s inbox.

The threat actors would then be the overwhelmed employee callsposing as their company’s IT help desk to help them with spam issues.

During this voice social engineering attack, attackers trick the person into installing the AnyDesk remote assistance tool or providing remote access to their Windows devices by launching the Windows Quick Assist remote control and screen sharing tool.

From there, the attackers would run a script that installs various payloads, such as ScreenConnect, NetSupport Manager and Cobalt Strike, which provide continuous remote access to the user’s corporate device.

Now that the Black Basta affiliate has gained access to the corporate network, it would spread laterally to other devices as it elevates privileges, steals data, and ultimately deploys the ransomware.

Switch to Microsoft Teams

In a new report by ReliaQuest, researchers noted Black Basta affiliates evolved their tactics in October, now using Microsoft Teams.

Like the previous attack, threat actors first flood an employee’s inbox with email.

However, instead of calling them, attackers now contact employees through Microsoft Teams as external users, where they impersonate the company’s IT help desk by contacting the employee to help them with their spam problem.

Accounts are created within Entra ID tenants that are designated to be a help desk, such as:

securityadminhelper.onmicrosoft(.)com
supportserviceadmin.onmicrosoft(.)com
supportadministrator.onmicrosoft(.)com
cybersecurityadmin.onmicrosoft(.)com

“These external users set their profiles to a ‘DisplayName’ designed to make the targeted user believe they are communicating with a help desk account,” explains the new ReliaQuest report.

“In almost every case we observed, the display name included the string ‘Help Desk’, often surrounded by white characters, which is likely to center the name in the chat. I also noticed that the targeted users were usually added to a “OneOnOne” chat.

ReliaQuest says they’ve also seen threat actors sending QR codes in chats that lead to domains like qr-s1(.)com. However, they could not determine what these QR codes are used for.

Researchers say Microsoft Teams external users are from Russia, with time zone data regularly from Moscow.

The goal is to again trick the target into installing AnyDesk or launching Quick Assist so that threat actors can gain remote access to their devices.

Once logged in, threat actors were seen installing payloads called “AntispamAccount.exe”, “AntispamUpdate.exe” and “AntispamConnectUS.exe”.

Other researchers have marked AntispamConnectUS.exe enabled VirusTotal that SystemBCa malicious proxy that Black Basta used in the past.

Finally, Cobalt Strike is installed, providing full access to the compromised device to act as a springboard to push further into the network.

ReliaQuest suggests that organizations restrict communication from external users in Microsoft Teams and, if necessary, allow it only from trusted domains. Logging should also be enabled, specifically for the ChatCreated event, to find suspicious chats.