Security researchers from Avanan (a Check Point company) have warned that some attackers are compromising Microsoft Teams accounts to then break into chats and spread malicious executables to those who are participating in the conversation.
What they have discovered is that a group of hackers began to drop malicious executable files in conversations on the Microsoft Teams communication platform. The attacks began in January, although they have not been reported until today.
12 tricks to get the most out of Microsoft Teams
The attacker inserts an executable file named “User Centric”” into a chat to trick the user into running it. The user can trust this link because it comes from a known contact.
This is what the Trojan does once it is executed
Once executed, the malware writes data to the system registry, installs DLLs and establishes its persistence on the Windows machine. Hackers attach .exe files to Teams chats to install a Trojan horse on the end user’s computer. The Trojan is then used to install malware.
Vector: Microsoft Teams
Type: Malicious Trojan File
Techniques: .exe files
Target: Any end user
“In this attack on computers, hackers attach a malicious Trojan document to a conversation. When it is clicked, the file ends up taking control of the user’s computer“, they specify from advance.
It should be said that for now it is not easy to stop these attackers since the method used to access Teams accounts “remains unclear, but some possibilities include theft of credentials to email or Microsoft 365 via phishing” or that a company or organization associated with users may have been compromised.
“Microsoft is the best host of malware in the world”, according to a former employee of its security area
Once installed, this Trojan can collect detailed information about the operating system and the hardware it runs on, along with the security status of the machine depending on the version of the operating system and installed patches. A serious problem that they see from Avanan is that after analyzing data from hospitals that use Teams, they have discovered that “doctors use the platform to share medical information without restrictions”, and this could fall into the wrong hands that could lead to worse attacks.
In addition, Teams offers guest and external access capabilities that enable collaboration with people outside the company. Avanan says that these invitations are usually attended with minimal supervision.
In addition to having protection on PCs so that when they download files there is a sandbox that analyzes the files, it encourages users to inform the IT department when they see an unknown file.