Malware distributed via Microsoft Teams

0

context

Recently, Avanan published a blog post mentioning adversaries’ interest in Microsoft Teams as a launchpad for their malicious attacks. Attackers have historically targeted online collaboration tools such as Slack and Discord for malware distribution and phishing. While this probably isn’t the first time Teams has been used to infect users, this trend is on the rise with the growing popularity of Teams.

Campaign Overview

Hackers are targeting the Teams platform to share malicious Trojan horse files on a large scale to infect unwitting users. They use various means to gain access to users’ emails, which in turn are used to gain access to Teams and then share malicious files with more users to infect them. Files shared on Teams are executable files that can take control of the system.

Hackers have the added advantage of attacking Teams or any other similar service if they use SSL encryption which can automatically bypass certain security tools that are oblivious to things happening under SSL. Additionally, they take advantage of the trust between the compromised user and the target users as they are more likely to open files from a known contact.

There is a caveat, attackers cannot simply share files on Teams, they must first have access to a Teams account to be able to share files with other users.

What can you do to protect yourself?

Route all traffic through Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised systems/servers.
Be sure to inspect all SSL traffic.
Advanced threat protection to block all known malware and command and control activity.
Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second-stage payload.
Security awareness training to spot and report suspicious attachments via chat and collaboration tools

Zscaler coverage:

Zscaler can protect against these threats or indeed against any unknown threat by inspecting large-scale SSL-encrypted traffic and blasting files in Advanced Cloud Sandbox.

We ensured coverage of known payloads through advanced threat signatures as well as an advanced cloud sandbox.

Malware Protection

W32/Trojan.BEIE-5677

Advanced Cloud Sandbox

Win32.Trojan.Wincen

Advanced Cloud Sandbox Report

Zscaler’s Cloud Sandbox detonates payloads to reveal their true behavior and plays a vital role in overall protection against new payloads.

The Zscaler ThreatLabz team is actively monitoring this campaign and covering threats. More updates to follow.

*** This is a Security Bloggers Network syndicated blog from Blog Category Feed written by Atinderpal Singh. Read the original post at: https://www.zscaler.com/blogs/security-research/malware-delivered-microsoft-teams

Share.

About Author

Comments are closed.