In a striking turn in the world of cybercrime, the notorious Black Basta ransomware gang has transitioned its social engineering tactics to Microsoft Teams, targeting employees by masquerading as corporate IT support to infiltrate networks.

Black Basta has been a menacing force in the ransomware landscape since its emergence in April 2022, being responsible for numerous attacks on corporations worldwide. This group is thought to have splintered from the infamous Conti cybercrime syndicate, which fell apart in June 2022 following a series of high-profile data breaches.

Operating under the radar, Black Basta uses various methods to breach networks, including exploiting vulnerabilities, teaming up with malware botnets, and employing social engineering tactics. In May of this year, cybersecurity firms Rapid7 and ReliaQuest issued warnings regarding a new social engineering campaign by Black Basta. This campaign overwhelmed targeted employees with thousands of seemingly benign emails, often containing newsletters or sign-up confirmations, which flooded their inboxes to the point of chaos.

Once the targeted employee was inundated with emails, the attackers would typically make a phone call, posing as their company’s IT support to assist with the “spam problem.” During these calls, the attackers manipulated employees into installing remote access tools such as AnyDesk or using Windows’ Quick Assist to provide remote access to their devices. Once inside, the attackers executed scripts to deploy various malware payloads like ScreenConnect, NetSupport Manager, and Cobalt Strike, thereby cementing their foothold in the corporate network.

The New Microsoft Teams Strategy

A recent report by ReliaQuest has revealed an alarming evolution in Black Basta's tactics, with the group now operating through Microsoft Teams as of October. This strategy mirrors previous attacks but adds a layer of sophistication; instead of phone calls, the attackers communicate through Microsoft Teams, posing as external IT support.

To execute this tactic, the threat actors create fake accounts under Entra ID tenants that appear to be legitimate IT help desk accounts with names like: - securityadminhelper.onmicrosoft.com - supportserviceadmin.onmicrosoft.com - cybersecurityadmin.onmicrosoft.com

These external users set their profile names to include variations of "Help Desk," often manipulated with whitespace to appear more credible in chats. ReliaQuest noted that targeted users are frequently added to private One-On-One chats, thereby increasing the chances of engagement.

Furthermore, researchers have reported that hackers are sending QR codes via these chats, leading to suspicious domains such as qr-s1.com. The exact purpose of these QR codes remains undetermined but points to a potentially new method of exploitation.

Importantly, the external Teams users are believed to originate from Russia, with time zone data typically aligning with Moscow. Their primary goal is to lure targets into installing AnyDesk or launching Quick Assist, granting them remote access to the target's device.

Payloads seen being delivered during these sessions include suspicious files bearing names like "AntispamAccount.exe," "AntispamUpdate.exe," and "AntispamConnectUS.exe." Notably, AntispamConnectUS.exe has been identified on VirusTotal as SystemBC, a proxy malware that Black Basta has utilized in the past.

As the attackers successfully install Cobalt Strike, they gain extensive control over compromised devices, enabling further infiltration into the corporate network.

To combat these threats, ReliaQuest advises organizations to restrict interactions from external users in Microsoft Teams, permitting communication only from trusted domains. Additionally, firms should implement robust logging measures, particularly for events like ChatCreated, to help uncover any suspicious activities promptly.

As cybercriminals continue to adapt their strategies, organizations must remain vigilant and proactive in their cybersecurity measures to protect their sensitive data against emerging threats like Black Basta.