Warning about false updates

 Riding on the edge of current events is one of the best ways to catch someone unaware. Having, or hinting at, something that is still unknown can provide enough cover for a malicious entity to confuse a victim into falling for a trap. A common technique includes providing false updates for a program that is new enough to precede the victim’s expertise, thus taking advantage of their naiveé. There were a glut of issues and vulnerabilities when Zoom had just started out as a popular videoconferencing tool. Microsoft Teams is now getting their fair share of trouble.

Microsoft is warning customers in a non-public security advisory, reported by BleepingComputer, that a malicious ad campaign is evolving and infecting users with ransomware, infostealer, and even Cobalt Strike to be used in conjunction with the ZeroLogon vulnerability. They call it the FakeUpdate attack. The attack begins with the victim accessing a malicious server and downloading the mal-ware themselves, convinced that they need an update to Microsoft Teams. The Microsoft Teams program is a widely used business communication platform that performs the services of an instant messenger, a videoconferencing soft-ware, file storage, and application integration. The file contained in the sup-posed update delivers a PowerShell script that bears on its back a host of mal-ware that has shown its evolution. It initially carried only DoppelPaymer ransomware, but then moved onto WastedLocker and the Cobalt Strike threat emulation software. It also provides an actual copy of Microsoft Teams so they might actually be updating the victim’s Teams software. Previous FakeUpdate campaigns carried the Predator the Thief infostealer, the Bladabindi (NJRat) backdoor, and Zloader stealer.

The attackers were able to use Google Ads services as a force multiplier by purchasing a search engine ad which made search results for Microsoft Teams pro-vide a malicious link as one of the top results. Links in ads are a constant source of suspicion already, but it is understandable for less savvy users to engage in the convenience without recognizing the risk.

Microsoft itself is advising users to use web browsers that can provide a degree of protection by exerting discretion against malicious websites and to maintain standard strong passwords for local admin privileges. Organizations can also minimize attack surfaces by blocking executable files or blocking JavaScript and VBScript from downloading potentially malicious content.

Sources

https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/

https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/

https://securityaffairs.co/wordpress/110693/malware/fake-microsoft-teams-cobalt-strike.html