Skip links

Crims abusing Microsoft Quick Assist to deploy Black Basta ransomware

A cybercrime gang has been abusing Microsoft’s Quick Assist application in social engineering attacks that ultimately allow the crew to infect victims with Black Basta ransomware.

This, according to Redmond, which said the campaign has been ongoing since mid-April, and blamed a financially motivated group it tracks as Storm-1811 for the intrusions.

Microsoft did not immediately respond to The Register‘s questions about the attack, including how many customers have been hit. We will update this story when we receive a response.

Quick Assist is a software tool installed by default in Windows 11 that allows someone to share their PC or macOS device with a remote user, typically in corporate IT, who can then control the computer remotely. This also makes it easier for scammers, posing as tech support, to trick people into giving them full access to the targeted device. 

“Microsoft is investigating the use of Quick Assist in these attacks and is working on improving the transparency and trust between helpers and sharers, and incorporating warning messages in Quick Assist to alert users about possible tech support scams,” the Windows giant said in a Wednesday alert.

Additionally, organizations can block or uninstall Quick Assist and other remote management tools if they aren’t using them, which will help reduce their risk of these types of social engineering attacks, Microsoft advised. 

Plus, there’s a whole list of indicators of compromise, and threat-hunting queries that Microsoft customers can use to look for malicious activity on their networks, such as suspicious curl behavior or possible malicious use of proxy or tunneling tool.

The break-ins begin with Storm-1811 impersonating IT support through voice phishing, and convincing the user to give them access to the computer through Quick Assist. In some cases users are bombarded with spam emails and then contacted asking if they want help fixing the problem.

Access is granted via a key command, and a security code provided by the attacker. After the target enters the security code, they can then share their screen with the attacker, who can select “Request Control.” If the target approves this request, the fraudster now has full control of the device.

After this pwnage Storm-1811 gets to work delivering malicious payloads and remote monitoring and management (RMM) software, we’re told.

“In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike,” the threat intel team noted.

This persistent access to the compromised device allows the attackers to move laterally through the victim’s environment. “Storm-1811 then uses PsExec to deploy Black Basta ransomware throughout the network,” according to Microsoft. ®