- Attackers combine spam floods with fake IT support
- Victims tricked into Quick Assist sessions deploying A0Backdoor
- Malware enables full account takeover and remote code execution
Cybercriminals are using a new combination of spam and IT support impersonation to deploy malware and take over corporate devices, experts have warned.
Security researchers at BlueVoyant found cybercriminals would start their attack by flooding their victim’s email inbox with spam. Not long after, they would reach out to that victim, claiming to be an IT support technician tasked with solving the spam problem.
Then, they would ask the victim to start a Quick Assist remote session, through which they temporarily gain access to the target computer. There, under the pretense of “solving the spam problem”, they would deploy a piece of malware called A0Backdoor.
Article continues below
Black Basta is back?
Masquerading as Microsoft Teams components and the CrossDeviceService, the malware is deployed and activated using DLL sideloading.
The result is full account takeover, giving attackers remote code execution (RCE) capabilities. That means they can run arbitrary commands on scripts, download and execute additional malware unabated, steal data freely, move laterally, or deeper, throughout the network. Finally, they can maintain persistence and long-term access or turn the device into a relay for further attacks.
Attribution is relatively difficult, so we can’t know for certain who is behind the attacks, but according to Cybersecurity News, the activity “overlaps with tactics previously tied to Blitz Brigantine”, a group also known as Storm-1811. This is a financially motivated threat actor that Microsoft previously linked to Black Basta.
For those with shorter memory spans, Black Basta used to be one of the most notorious ransomware gangs, but the group effectively ceased operations and went silent in early 2025.
So far, the group hit two victims – a financial institution in Canada and a global healthcare organization. The names have not yet been shared, and the group has not publicly claimed responsibility for the attacks.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-2560-80.jpg
Source link
