Cybecrooks are using fake advertisements for malicious Microsoft Teams updates that deliver backdoors that lead to installation of the Cobalt Strike post-exploitation tool in order to infect companies’ networks with malware.
The campaign, of which Microsoft warned its customers in a non-public security advisory seen by Bleeping Computer, is aimed at organizations in various industries, with recent targets in the K-12 education sector, where orgs are heavily relying on apps such as Microsoft Teams for videoconferencing due to the COVID-19 pandemic.
According to the advisory, cybercriminals are spreading the malicious Microsoft Teams ads by poisoning search engine results or via malicious online advertisements.
In at least one attack Microsoft detected, the crooks bought a search engine ad that caused top results for Teams software to point to an attacker-controlled domain.
The fake ads are prompting users to install a Microsoft Teams update by clicking on a link, which in reality downloads a payload that executes a PowerShell script to fetch more malicious content. It also installs a legitimate copy of Microsoft Teams on the system, so as not to raise suspicions among users.
According to Microsoft, malware distributed by the campaign include the Predator the Thief tool, which steals sensitive information such as credentials, browser, and payment data,the Bladabindi (NJRat) backdoor, and the ZLoader stealer, as well as Cobalt Strike beacons that allow attackers to move laterally through the target network. In some instances file-encrypting malware was delivered onto computers.
To block the latest wave of FakeUpdates attacks Microsoft advises that organizations use web browsers that can filter and block malicious websites, use strong, random passwords for local administrators, limit admin privileges to essential users, block executable files that do not meet specific criteria, and block JavaScript and VBScript code from downloading executable content.
It is worth noting that as part of its November 2020 Patch Tuesday release Microsoft fixed a critical vulnerability (CVE-2020-17091) in Microsoft Teams, which, if exploited, could lead to a complete compromise of the target system.