Skip to main content
close search
site logo
Dive Brief

Ransomware latches onto fake ads for Microsoft Teams updates

Published Nov. 12, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Microsoft Teams, Together Mode
Courtesy of Microsoft Teams

Dive Brief:

  • Cybercriminals are using fake Microsoft Teams updates ads to deploy Cobalt Strike, according to a "non-public security advisory" from Microsoft obtained by Bleeping Computer. "We are aware of reports and are investigating. We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages," said a Microsoft spokesperson in an email. 
  • Microsoft is suggesting customers use Microsoft's Defender ATP to mitigate the FakeUpdates risk, which is linked to the DoppelPaymer and WastedLocker ransomware strains, according to the report. Microsoft uncovered an attack where bad actors bought a search engine ad "that caused top results for Teams software to point to a domain under their control," Bleeping Computer said. 
  • When clicking on a link, users downloaded payloaders, including Predator the Thief infostealer and Cobalt Strike beacons. Microsoft believes the same operators are behind a handful of attacks that ultimately lead to data encryption.

Dive Insight:

Malware disguised in fraudulent ads or updates is another phishing scheme organizations need to watch for. At least 60,000 parked domains became "malicious," or linked to phishing and malware, between March and September, according to Palo Alto Networks' Unit 42. 

In the Microsoft Teams example, when a victim clicked on a corrupt link, a PowerShell script was executed via a payloader. To disguise the malicious activity, a "legitimate copy" of Microsoft Teams was also installed, according to the report. 

While fake ads and updates are nothing new, they have a greater chance at success in a mass remote work environment. Employees are likely using personal devices, which "may not have corporate or company security protections installed to mitigate the threats associated with these types of droppers," said Dan L. Dodson, CEO of Fortified Health Security. 

The reported attacks are using known tactics and tools. The Predator the Thief malware was discovered in 2018 and is often found on hacking forums, according to Fortinet. It performs typical functions of a stealer malware: sends its operators credentials, search history, or images from hijacked webcams. What sets it apart from other stealers written in C#, is that the Predator is "fully written in C/C++," according to researchers. 

Cobalt Strike, a penetration tool for white hat hackers, has become a staple for cybercriminals and is easily manipulated. "When its capabilities are utilized by a cybercriminal, Cobalt Strike can compromise an entire network," said Dodson. 

In a typical Ryuk ransomware attack, Cobalt Strike's role, in conjunction with Mimikatz, LaZagne or Kerbrute, to perform reconnaissance, browser pivoting, and unmonitored communication. IBM uncovered an overlap in code signing certificates between Cobalt Strike Beacon and Ryuk. 

Key to mitigating these attacks is employee awareness and training. "Ask questions and learn from one another. We are all in this fight together," said Dodson.   

Recommended Reading

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Editors' picks
Latest in Threats
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell