A sophisticated new vishing campaign is leveraging Microsoft Teams calls and the native Windows remote support tool QuickAssist to deploy stealthy .NET malware, bypassing traditional security perimeters. This evolving threat, identified by SpiderLabs security analysts, relies on social engineering and the abuse of trusted system utilities to achieve its malicious objectives.
The attack chain begins with threat actors impersonating senior IT staff via an external Microsoft Teams call, using spoofed display names to appear as legitimate internal administrators. This tactic creates a sense of urgency that disarms victims, prompting them to launch Microsoft QuickAssist at the attacker’s direction. This bypasses many security controls that typically flag third-party remote access software, as QuickAssist is a built-in Windows utility.
New Vishing Attack Leverages Microsoft Teams and QuickAssist for Malware Deployment
Following the initial compromised access, the masked attackers redirect unsuspecting victims to a malicious domain, identified as ciscocyber[.]com, after a delay of approximately ten minutes. This deliberate pause is likely intended to reduce suspicion before the final stage of the infection is initiated. During this phase, a file disguised as a legitimate system updater is introduced to the compromised system.
The impact of this campaign is significant due to its heavy reliance on social engineering rather than exploiting software vulnerabilities. The attackers employ a .NET malware wrapper, enabling them to execute code directly in the system’s memory. This “fileless” approach of deploying malware minimizes the forensic footprint on the endpoint, complicating traditional incident response efforts by leaving fewer disk artifacts for investigators to analyze.
Technical Analysis of the Infection Mechanism
The core of this advanced attack relies on a complex infection chain initiated by a .NET Core 8.0 executable. The malicious file, often named “updater.exe,” acts as a wrapper for an embedded library, referred to as “loader.dll.” Upon execution of this wrapper, the loader establishes a connection to a command-and-control (C2) server, specifically at the domain jysync[.]info. The purpose of this initial connection is to retrieve essential encryption keys.
These retrieved encryption keys are critical for the subsequent stage of the attack, where the malware proceeds to download a heavily encrypted payload. The decryption process is multifaceted, employing a combination of AES-CBC and XOR operations to unlock the malicious assembly. Crucially, adherence to stealth, the decrypted code is never written to the hard drive. Instead, it is loaded directly into the system’s active memory through a technique known as .NET reflection. This method ensures a highly persistent and stealthy compromise, evading many signature-based detection mechanisms for malware residing on disk.
The adoption of Microsoft Teams and QuickAssist as attack vectors highlights a concerning trend among threat actors. By exploiting legitimate and widely used tools, they present a more convincing and less suspicious facade to their targets. This evolving landscape of cyber threats necessitates a continuous adaptation of security strategies, focusing on user education regarding social engineering tactics and enhancing endpoint detection capabilities to identify anomalous behavior even when traditional file-based indicators are absent.
The ongoing nature of this vishing campaign means that organizations and individuals should remain vigilant. Further analysis by cybersecurity researchers is expected to uncover additional details about the full capabilities of the deployed .NET malware. Organizations are advised to review and reinforce their security awareness training programs, emphasizing the importance of verifying requests for remote access and scrutinizing unsolicited communications, even when they appear to originate from internal sources.