Threat Research

EncryptHub Teams Phishing Delivers PowerShell Loader

Securonix
EncryptHub Teams Phishing Delivers PowerShell Loader

Threat actors are increasingly abusing Microsoft Teams to socially engineer targets into installing remote access tools (QuickAssist, AnyDesk) and executing a PowerShell-based multi-stage payload that performs credential theft, persistence, and encrypted C2 communication. Campaigns have delivered DarkGate and Matanbuchus loader variants, reused static AES parameters linked to EncryptHub/LARVA-208 (Water Gamayun), and hosted payloads at domains such as audiorealteak.com and cjhsbam.com. #DarkGate #Matanbuchus

Keypoints

  • Attackers impersonate IT support in Microsoft Teams (display names like “IT SUPPORT✅”, “Help Desk Specialist ✅”) to establish trust and request remote access.
  • Initial access is gained by persuading victims to install remote support tools (QuickAssist, AnyDesk) and granting control, enabling direct deployment of payloads.
  • Observed PowerShell command downloads a multi-stage script from https://audiorealteak.com/payload/build.ps1 which performs credential theft, persistence, and remote execution.
  • Malware includes persistence via Scheduled Task (“Google LLC Updater”) or fallback registry autorun, fetching runner.ps1 from https://cjhsbam.com/payload/runner.ps1.
  • Payload uses AES encryption with hardcoded IV and key (&9*zS7LY%ZN1thfI and 123456789012345678901234r0hollah) for C2 communications to https://audiorealtek[.]com and reuses constants linked to EncryptHub / LARVA-208 (Water Gamayun).
  • Technical features include single-instance mutex enforcement, process protection by marking PowerShell as critical (RtlSetProcessIsCritical), system profiling, credential prompt capture, and execution of attacker commands via decrypted C2 responses.
  • Related historical reporting ties similar campaigns to BlackBasta ransomware and later to DarkGate and Matanbuchus loader families, indicating varied monetization and actor reuse.

MITRE Techniques

  • [T1566] Phishing – Microsoft Teams used as a social engineering vector to impersonate IT support and trick users into installing remote access tools (“impersonate IT support…engage users through one-on-one chats…presented as legitimate support”).
  • [T1204] User Execution – Victims are guided to install and run remote access software (QuickAssist, AnyDesk) and execute PowerShell commands (“guide the victim toward installing remote access software…actor uses native features…to take control”).
  • [T1105] Ingress Tool Transfer – Payloads and follow-on scripts are downloaded from external URLs such as https://audiorealteak.com/payload/build.ps1 and https://cjhsbam.com/payload/runner.ps1 (“Invoke-RestMethod -Uri “).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Attack delivers and runs multi-stage PowerShell scripts with Invoke-RestMethod and scriptblock execution for payload execution and tasking (“powershell.exe -ExecutionPolicy Bypass -WindowsStyle Hidden -Command …”).
  • [T1113] Screen Capture / [T1056] Input Capture (Credential Harvesting) – Malware invokes a native credential prompt to capture user credentials via PromptForCredential and saves them to info.txt (“$Host.UI.PromptForCredential(‘Need credentials’, …) … saved to a info.txt file”).
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence via creating a registry autorun entry as a fallback if scheduled task creation fails (“Set-ItemProperty -Path HKCU:Software…Run …”).
  • [T1053.005] Scheduled Task – Persistence by registering a scheduled task named “Google LLC Updater” to run PowerShell on logon (“Register-ScheduledTask -TaskName ‘Google LLC Updater’ …”).
  • [T1027] Obfuscated Files or Information – Use of compiled C# injection and process flagging (RtlSetProcessIsCritical) to complicate analysis and remediation (“compiles and injects a C# class…call RtlSetProcessIsCritical”).
  • [T1041] Exfiltration Over C2 Channel – Collected system info and credentials are encrypted with AES and posted to the C2 at https://audiorealtek[.]com/ (“Data is encrypted with AES using a hardcoded key and IV, then sent to https://audiorealtek[.]com/”).

Indicators of Compromise

  • [URL] Malicious payload hosting – https://audiorealteak[.]com/payload/build.ps1, https://cjhsbam[.]com/payload/runner.ps1
  • [IPv4] Infrastructure – 104.21.40[.]219, 193.5.65[.]199
  • [Cryptographic Constants] Hardcoded AES parameters linked to actor – IV: &9*zS7LY%ZN1thfI, Key: 123456789012345678901234r0hollah
  • [Mutex] Single-instance mutex for script enforcement – 62088a7b-ae9f-2333-77a-6e9c921cb48e
  • [User Agents] Malicious activity UA string – Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6
  • [Teams Display Names/User Principals] Impersonation patterns – Display names: “Help Desk Specialist ✅”, “IT SUPPORT✅”; User principal examples: @supportbotit.onmicrosoft.com, @firewalloverview.onmicrosoft.com

Read more: https://permiso.io/blog/sliding-into-your-dms-abusing-microsoft-teams-for-malware-delivery?hs_preview=VYVYybGX-195188659586

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint