Criminal gangs are using fake Microsoft Teams updates to infect networks with Cobalt Strike

Hackers are specifically targeting the education sector where use of collaboration tools is high, according to Microsoft

Microsoft is warning users of Microsoft Teams software about a recent ransomware campaign that is employing fake Teams updates to target organisations and compromise their networks.

According to Bleeping Computer, the software giant has issued a non-public security advisory for customers, informing them that ransomware groups are currently running "FakeUpdates" campaigns to deliver backdoors that eventually lead to installation of the Cobalt Strike malware on companies' networks.

Cobalt Strike was developed as a security tool to emulate attacks on networks, but it has since been adapted by threat actors and used to find weaknesses in order to deliver secondary payloads, such as ransomware.

Hackers are specifically targeting the education sector where people are dependent on apps like Teams and Zoom for videoconferencing due to coronavirus restrictions.

In at least one attack detected by Microsoft, the cyber actors were seen using a search engine ad, which when clicked, led Teams users to a malicious domain under their control. The link downloaded a payload that executed a PowerShell script to load more malicious content. A genuine copy of Microsoft Teams was also installed on the system to avoid alerting victims to the attack.

Microsoft said that it had seen multiple malware being distributed in recent campaigns, including Predator the Thief, Bladabindi (NJRat) backdoor, and ZLoader infostealer.

In many attacks, file-encrypting programmes were deployed as the last stage of the campaign.

Microsoft is now advising users to take all appropriate measures to lessen the impact of the latest wave of FakeUpdates attacks. The company recommends customers use web browsers that are able to block malicious websites.

Organisations must also use strong admin passwords that can't be guessed easily. Restricting administrative privileges to essential users will reduce the impact of any attack.

Employing fake software update lures to compromise networks is not new, say cyber security experts.

Last year, the DoppelPaymer ransomware gang used a similar trick to target Microsoft users. The WastedLocker group reportedly evolved the technique this year by employing second-state payloads and using signed binaries to evade the detection.

Earlier this month, it emerged that cybercriminals were also abusing a legitimate Google Drive feature to trick users into clicking malicious links, and ultimately install malware in their systems.

Cyber security researchers found that the phishing scam stemmed from Drive's collaboration feature, which is used by millions of people to create emails or push notifications inviting other users to work together on documents.

Researchers said that scammers were exploiting this particular feature to send notifications to potential victims, asking them to collaborate on a document. These notifications contained links that led users to malicious websites.