FacebookTwitterLinkedIn

Black Basta Threat Actors Pose As Microsoft Teams IT Support

Karolis Liucveikis Written by on

According to a blog article published by ReliaQuest, their security team discovered a new Black Basta ransomware campaign that begins with a spam email, which is then followed by threat actors posing as Microsoft Teams IT Support to trick victims into installing remote access software, which is then used to deploy Black Basta.

Black Basta Threat Actors Pose As Microsoft Teams IT Support

At the start of the campaign, Black Basta threat actors would bombard victims with spam emails, prompting them to open what they believed was a support ticket. Then, the Black Basta threat actor receives the supposed support ticket.

Recently, threat actors have evolved their tactics by using Microsoft Teams chat messages to communicate with targeted users and incorporating malicious QR codes to facilitate initial access.

Researchers stated,

The underlying motivation is likely to lay the groundwork for follow-up social engineering techniques, convince users to download remote monitoring and management (RMM) tools, and gain initial access to the targeted environment. Ultimately, the attackers’ end goal in these incidents is almost certainly the deployment of ransomware.

And,

This rapidly escalating campaign poses a significant threat to organizations. The threat group is targeting many of our customers across diverse sectors and geographies with alarming intensity. The sheer volume of activity is also unique; in one incident alone, we observed approximately 1,000 emails bombarding a single user within just 50 minutes. Due to commonalities in domain creation and Cobalt Strike configurations, we attribute this activity to Black Basta with high confidence.

When abusing Microsoft Teams, targeted users were added to Microsoft Teams chats using the add external users feature. These external users operated from Entra ID tenants, which they created to better pose as support, admin, or help-desk staff. Threat actors will create tenants with an observed naming convention by adding the domain "*.onmicrosoft.com".

Real-world examples seen by security researchers include:

  • securityadminhelper.onmicrosoft[.]com
  • supportserviceadmin.onmicrosoft[.]com
  • supportadministrator.onmicrosoft[.]com
  • cybersecurityadmin.onmicrosoft[.]com

As mentioned above, the campaign tactics evolved to include QR codes as delivery vehicles for the installation of remote access software. To further trick victims, QR codes were sent in chat and branded as legitimate companies. Often, QR codes would be branded as "QuickAssist" to better prompt the targeted user to solve the imagined problem quickly and easily.

Based on observed campaigns, the elaborate ruse is conducted to install AnyDesk, a popular remote access software used by legitimate IT support teams to solve and prevent IT issues in organizations. Once access permission is granted to the threat actor, they will install several malicious files to facilitate the ultimate delivery of the Black Basta ransomware payload once Cobalt Strike beacons are deployed.

These malicious files were named to appear as anti-spam programs, such as "AntispamAccount.exe," "AntispamUpdate.exe," and "AntispamConnectUS.exe." It is capable of downloading the files within five minutes of running AnyDesk.

The file "AntispamAccount.exe" accessed the Local Security Authority Service (LSASS), indicating it was used to collect user credentials on the compromised host. Further, the file "AntispamConnectUS.exe" generates network traffic to hundreds of other internal hosts. Researchers believe this is done to discover additional resources on the network.

Black Basta and Social Engineering Tactics

The move to using Microsoft Teams and QR codes is an evolution of previous tactics used recently by the ransomware operation, dating back to campaigns discovered in May 2024. Both Rapid7 and ReliaQuest discovered Black Basta attack campaigns that used vishing, otherwise known as video phishing, tactics to assist in granting attackers initial access to corporate networks.

Again, these attacks would be used to install AnyDesk to deliver additional malware payloads and better facilitate ransomware infection. In some instances, Microsoft's built-in Quick Assist feature is used to establish a remote connection. Again, the attack would begin with spam emails bombarding the targeted user.

Rapid7 researchers stated,

With the emails sent, and the impacted users struggling to handle the volume of the spam, the threat actor then began to cycle through calling impacted users posing as a member of their organization’s IT team reaching out to offer support for their email issues. For each user they called, the threat actor attempted to socially engineer the user into providing remote access to their computer through the use of legitimate remote monitoring and management solutions.

At the time, ReliaQuest summarized the threat to organizations as follows,

As the Black Basta campaign continues to leverage social engineering tactics alongside legitimate remote access tools like Quick Assist and AnyDesk, its threat to organizations remains high. This campaign adeptly manipulates human vulnerabilities by overwhelming targets with spam emails and then impersonating IT support to gain trust and system access. Given the persistent nature of these social engineering attacks, and the ongoing reliance on widely trusted remote management software, organizations are likely to face high threats from Black Basta in the short-term future. It is realistically possible that other ransomware groups could attempt to conduct attacks using similar Tactics, Techniques, and Procedures (TTPs).

That threat is still to be taken seriously. As tactics evolve rapidly, it becomes harder for organizations to pivot and hope to defend against the malware attack campaign, now with updated tactics and techniques to get past security measures and directly target employees.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog