Cybercriminals have begun using malicious fake ads for Microsoft Teams updates to deploy backdoors that use the Cobalt Strike attack-simulation tool to infect corporate networks with malware and ransomware.
So far these attacks have targeted organizations across a variety of industries but recent campaigns have focused on the education sector which relies on Microsoft Teams and other video conferencing software for distance learning.
As reported by BleepingComputer, Microsoft has released a non-public security advisory warning its customers about these so called “FakeUpdates” campaigns which were first seen delivering the DoppelPaymer ransomware last year.
Now though, these campaigns have evolved by using signed binaries and various second-stage payloads including the WastedLocker ransomware. The attackers responsible have also started exploiting the ZeroLogon vulnerability in the Netlogon protocol.
In order to plant their fake ads successfully, the cybercriminals used malicious online advertisements and also abused search engine results. According to Microsoft, in one attack those responsible purchased a search engine ad that caused the top results for Teams to point to a domain under their control.
Clicking on a link on this page downloaded a payload which executed a PowerShell script to retrieve even more malicious content but doing so also installed a legitimate copy of Microsoft Teams on a user’s system to prevent them from suspecting foul play.
In its non-public security advisory, Microsoft also said that the initial payload in many cases was the Predator the Thief infostealer which is used to steal and send sensitive information such as credentials and browser and payment data back to the attackers. The malware was also used to download Cobalt Strike beacons that allow an attacker to discover how they could move laterally across an organization’s network.
Microsoft Teams isn’t the only software being used as a lure by these FakeUpdates campaigns as Microsoft observed similar attacks leveraging at least six other software products to deliver malware.
To prevent falling victim to a FakeUpdate attack, the software giant recommends that organizations use web browsers capable of filtering and blocking malicious websites and ensure their local administrators are using strong passwords. Additionally, limiting admin privileges to essential users can prevent attackers from easily moving laterally across a network.