Fake IT Support Calls on Teams Deliver EtherRAT Malware
Threat actors are exploiting Microsoft Teams voice calls to distribute the EtherRAT malware by impersonating corporate IT support personnel. This tactic aims to gain initial access to sensitive corporate networks. The attackers initiate voice calls through Microsoft Teams, posing as legitimate IT help desk representatives. They then guide unsuspecting employees into downloading and executing malicious files, which ultimately install the EtherRAT remote access trojan.
Once installed, EtherRAT provides attackers with comprehensive control over the compromised system. This includes the ability to remotely access files, execute commands, and monitor user activity. The malware's capabilities allow for deep infiltration into an organization's infrastructure, potentially leading to further data exfiltration or the deployment of additional malicious payloads. The use of Teams for these attacks bypasses traditional email-based phishing defenses, presenting a novel threat vector.
This method leverages social engineering tactics within a trusted communication platform. By mimicking internal IT support, the attackers exploit the inherent trust employees place in their IT departments. The process typically involves the "IT support" representative instructing the user to download a file, often disguised as a diagnostic tool or software update, which is in fact the EtherRAT installer. The attack chain is designed to be seamless, making it difficult for the victim to discern the malicious intent.
The EtherRAT malware itself is a sophisticated piece of spyware and remote access trojan. Its deployment via Microsoft Teams voice calls highlights the evolving nature of cyber threats and the need for robust security measures that extend beyond email filtering. Organizations are advised to reinforce employee training on recognizing social engineering attempts, particularly those originating from within seemingly trusted communication channels like Microsoft Teams.
Original source — read the full reporting at the publisher:
Read on BleepingComputer