In recent FakeUpdates campaigns, hackers have been using malicious fake ads for Microsoft Teams updates. Read on to know more…
Due to COVID-19 restrictions, there has been a considerable increase in the usage of online video conferencing tools. In recent FakeUpdates campaigns, hackers were seen using malicious fake ads by poisoning search engine results for fake Microsoft Teams updates.
Cybercriminals have begun using malicious fake ads for Microsoft Teams updates to deploy backdoors that use the Cobalt Strike attack-simulation tool to infect corporate networks with malware and ransomware.
So far these attacks have targeted organizations across a variety of industries but recent campaigns have focused on the education sector which relies on Microsoft Teams and other video conferencing software for distance learning.
About FakeUpdates Campaigns
According to Bleeping Computer, hackers were observed operating FakeUpdates campaigns using Microsoft Teams updates as a lure to target educational organizations. They were using several variations of the same theme with different threat vectors.
The hackers used Predator the Thief infostealer as an initial payload, along with Bladabindi (NJRat) backdoor and ZLoader stealer. In addition, they used Cobalt Strike to compromise the rest of the network. In some instances, hackers used the IP Logger URL shortening service, signed binaries, and various second-stage payloads.
To increase the credibility, along with payloads distribution, clicking on the link installed a legitimate copy of Microsoft Teams on the system. A paid search engine ad, moreover, aggravated the payload distribution by pointing to a domain under hackers’ control for Teams software.
Recent Attacks
In the last month, hackers had impersonated an automated message from Microsoft Teams to steal the recipient’s login credentials. In multiple connected phishing campaigns, attackers were seen spoofing well-known applications in an attempt to evade detection.
Recently, cyber attackers had managed to get access to the systems of Scotland’s Dundee and Angus College and demanded a ransom. The DoppelPaymer crew had compromised Newcastle University students’ data in September and leaked onto the dark web in November. In addition, a cybersecurity incident had shut down the systems of Saskatchewan Polytechnic.
Mitigation
To prevent falling victim to a FakeUpdate attack, the Microsoft recommends that organizations use web browsers capable of filtering and blocking malicious websites and ensure their local administrators are using strong passwords. Additionally, limiting admin privileges to essential users can prevent attackers from easily moving laterally across a network.
Concluding Note
In the FakeUpdates campaigns, the use of a combination of legitimate applications, infostealer trojans backdoors, and Cobalt Strike has added fuel to the fire. By using such dangerous combinations, hackers could potentially infect hundreds of thousands of computers. Microsoft has alerted users to stay alert of poisonous search engine results and malicious online advertisements.