The Microsoft Threat Intelligence team has identified a threat named Storm-1811 that is using the client management tool Quick Assist in social engineering attacks.
According to a report released on May 15, 2024, by Microsoft, Storm-1811 is a cybercriminal group that deploys Black Basta ransomware for financial gain.
The attackers use voice phishing to deceive users into installing remote monitoring and management tools, ultimately delivering QakBot, Cobalt Strike, and Black Basta ransomware.
Microsoft warned that threat actors are pretending to be trusted contacts like Microsoft technical support to gain access to target devices and execute the attacks.
Quick Assist is a legitimate application from Microsoft that allows users to share their devices for troubleshooting purposes over a remote connection.
In these attacks, threat actors also engage in link listing attacks and impersonate IT support teams to gain access to devices through Quick Assist.
The attackers leverage this access to deploy malicious payloads and ransomware throughout the network.
Microsoft is investigating the misuse of Quick Assist and plans to incorporate warning messages to alert users of potential tech support scams that could lead to ransomware attacks.
The attacks, which began in mid-April 2024, have targeted various industries, highlighting the opportunistic nature of the threat.
Black Basta is described as a “closed ransomware offering” that is distributed by a small network of threat actors for ransomware and extortion attacks.
Organizations are advised to block or uninstall Quick Assist and similar tools if not in use and educate employees on recognizing tech support scams.
