Windows Quick Assist Anchors Black Basta Ransomware Gambit

Following a recently documented Black Basta ransomware vishing campaign, Microsoft Threat Intelligence acknowledged May 15 that a financially motivated threat actor tracked as Storm-1811 since mid-April has been following the playbook.

The threat group is using a socially engineered campaign to trick victims into letting them use Quick Assist for remote access to their machines by posing as trusted contacts, such as Microsoft technical support or an IT professional from the targeted user's company. Quick Assist is a Windows app that enables a person to share their Windows or macOS device with someone else over a remote connection.

Vishing campaigns in which a threat actor has been abusing a Windows remote-access app to deliver Black Basta ransomware demonstrates the risk inherent in such solutions when they are paired with sophisticated social engineering. This threat demands a similarly savvy response from enterprise security teams, who must bolster vigilance and advise employees across organizations to do the same, experts say.

Abusing Legitimate Windows Tools

Once they establish trust and gained remote access, Storm-1811 then uses this channel to deliver various malware remotely to victim machines, culminating in the delivery of Black Basta ransomware for financial gain, according to a blog post by Microsoft Threat Intelligence. Victims also may receive a bomb of emails and then vishing calls from threat actors impersonating IT or help-desk personnel.

The attacks demonstrate how easy it is for threat actors to abuse legitimate remote-access tools to deceive and compromise users, especially if their social-engineering skills to get a victim to fall for a malicious ruse are solid, security experts said.

"Advanced social engineering attacks are what cybercriminals use when … they cannot breach [an organization] using simpler methods such as basic phishing emails or compromising weak credentials," notes Darren Guccione, CEO and co-founder of security firm Keeper Security, in an email to Dark Reading.

The growing sophistication that attackers have demonstrated with these tactics and their clever use of remote-access tools highlights the continued need for ongoing training and education of employees in how to spot such tricks as they evolve, he says.

"Because Quick Assist allows the user to share their device over a remote connection, the application carries the potential for damaging malicious activity," Guccione says.

Advanced Social Engineering

In the attack vector described by Microsoft Threat Intelligence, Storm-1811 either uses vishing to "impersonate IT or help desk personnel, pretending to conduct generic fixes on a device," or engages in email bombing to flood users' inboxes with content on services that they've subscribed to.

"Following the email flood, the threat actor impersonates IT support through phone calls to the target user, claiming to offer assistance in remediating the spam issue," according to Microsoft.

Indeed, this email bombing is a critical aspect of advanced social engineering, serving "to overwhelm and confuse the victim before the attacker reaches out by phone to manipulate them into accepting a malicious Quick Assist request," Stephen Kowski, field CTO at SlashNext, notes.

Once this connection is set up, attackers are free to operate at will on a victim's machine. In the case of the attacks described by both Rapid 7 and Microsoft, this activity ultimately ends with the deployment of Black Basta ransomware.

Flurry of Malware Used in Storm-1811 Campaign

Microsoft also observed Storm-1811 delivering a flurry of malware to victim machines in the leadup to the Black Basta payload, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware such as Qakbot, and Cobalt Strike.

Once access was gained via Quick Assist, the attacker ran a scripted curl command to download a series of batch files or ZIP files used to deliver the varied malicious payloads. Some of the batch scripts suggested the use of fake spam filter updates that required the targets to provide sign-in credentials, according to Microsoft.

Storm-1811 then used Qakbot to deliver a Cobalt Strike Beacon, and next established persistence and conducted lateral movement within the compromised environment via ScreenConnect.

NetSupport Manager, another remote access tool, likely was deployed to maintain control over compromised devices to further download and install additional malware, as well as launch arbitrary commands, according to Microsoft.

In some cases, Storm-1811 also leveraged the OpenSSH tunneling tool to establish a secure shell (SSH) tunnel for persistence. Eventually, the actor used PsExec to deploy Black Basta ransomware throughout the network.

Mitigating Quick Assist Attacks

Given how vulnerable an organization is once a corporate user gives attackers remote access to his or her machine willingly, one way to mitigate such attacks is to uninstall such tools as Quick Assist when they are not in use, both Microsoft and experts advised.

Organizations also can implement a privilege access management (PAM) solution with a zero-trust architecture, which "prevents unauthorized privilege escalation and ensures that user access roles are strongly enforced," Guccione says. 

"A major goal of zero trust is to limit users to the resources and information for which they are authorized, which reduces the blast radius in the event of a breach," he says.

Both Microsoft and experts also advised that organizations use advanced and consistent employee training to help them spot vishing and social engineering-based attacks, which can prevent compromise even though Guccione acknowledged that "anyone" can fall for them.

Still, "employees are better equipped to combat them when their organization provides regular security training and educates employees about malicious attachments, links, and tech support scams such as this," he says.

Event monitoring and advanced email solutions also can neutralize the email bombing tactic of such campaigns, "causing the subsequent phone call to stand out as suspicious and illegitimate immediately," Kowski says.

"Luckily, nowadays, GenAI phishing solutions are installed in five minutes without any changes in user experience or significant infrastructure changes," he says.