Cybercrime
Unit 42 says attackers are posing as helpdesk staff and persuading employees to hand over remote control before dropping EtherRAT trojan
Cybercriminals are using fake IT support calls on Microsoft Teams to persuade employees to surrender control of their PCs before installing the EtherRAT remote access trojan, according to researchers at Palo Alto Networks' Unit 42.
Victims receive a phishing email disguised as an employee survey before a follow-up Microsoft Teams call from someone claiming to be IT support. During the call, the attacker persuades the target to hand over remote control and install legitimate remote administration tools such as HopToDesk or AnyDesk. An MSI package is then downloaded, which installs the EtherRAT malware.
"We've seen in the logs of the User's session the Title 'System Administrator (External unfamiliar) | Microsoft Teams'; the External unfamiliar tag indicates a contact from outside the organization with no trusted relationship," Unit 42 threat researcher Brian Janower wrote. "Microsoft Teams audit logs confirm the actor initiated a cross tenant OneOnOne chat from the attacker controlled account."
EtherRAT is a Node.js RAT that runs across Windows, Linux, and macOS, giving attackers the usual menu of post-compromise tricks: running commands, stealing data, manipulating files, and maintaining access. Instead of hardcoding where it phones home, the malware fetches an active command-and-control server from an Ethereum smart contract, with a conventional domain kept in reserve if that doesn't work.
The RAT has previously been linked to attacks exploiting the React2Shell vulnerability and has since appeared in campaigns involving multiple threat groups.
Unit 42's research also highlights a potentially useful forensic artifact from this latest campaign. According to Janower, Teams creates files beginning "CtrlVirtualCursorWin_*" during remote control sessions, giving defenders another indicator that an attacker was actively operating a victim's desktop.
Researchers also found what appears to be an open directory containing EtherRAT versions 1 through 9. With samples updated as recently as June 26, the repository suggests the operators are continuing to develop the malware.
The campaign is the latest example of attackers turning Microsoft's collaboration platform against its users. Last month, researchers found DragonForce operators disguising command-and-control traffic as legitimate Teams communications after compromising a victim's network.
In this case, Teams is abused much earlier in the intrusion, with attackers simply using fake IT support calls to persuade employees to open the door themselves. ®

3 hours ago
16








English (US) ·