ReliaQuest discovered a malicious attack targeting customers in finance and technical services that began with phishing via Microsoft Teams and evolved into a sophisticated malware deployment involving TypeLib hijacking. The attack appears linked to the Storm-1811 group but showcases novel persistence methods that suggest either evolution or fragmentation of the group. Affected: finance sector, professional and scientific services sector
Keypoints :
- ReliaQuest investigated a new Microsoft Teams phishing campaign previously associated with Black Basta operations.
- The attack utilized TypeLib COM hijacking and deployed a novel PowerShell backdoor.
- Phishing was carefully timed and targeted high-level executives specifically utilizing gender stereotypes.
- Familiar tools, such as Quick Assist, were manipulated to maintain persistence.
- Observed novel malware showed minimal detection on VirusTotal due to obfuscation.
- Recommendations include disabling external communications in Microsoft Teams and logging chat events for detection.
MITRE Techniques :
- Initial Access: Phishing (T1566) – Phishing via Microsoft Teams targeting executive employees.
- Persistence: COM Hijacking (T1218.011) – Utilized TypeLib hijacking by modifying Windows Registry entries to redirect legitimate COM objects to malicious code.
- Execution: PowerShell (T1059.001) – The new backdoor used obfuscated PowerShell scripts for execution and command-and-control functionality.
Indicator of Compromise :
- [IP Address] 181.174.164.180
- [IP Address] 130.195.221.98
- [IP Address] 98.158.100.22
- [Domain] techsupport[at]sma5smg.sch[.]id
- [Malware Hash] f74fac3e5f7ebb092668dc16a9542799ccacc554
Full Story: https://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/