Introduction
Microsoft has recently highlighted the abuse of the remote support tool Quick Assist in sophisticated social engineering attacks leading to ransomware infections. This blog post summarizes the threat and recommends a mitigation strategy for Netskope customers.
Attack Chain
An unknown adversary group is exploiting Quick Assist in targeted social engineering campaigns. These attacks typically begin with vishing (voice phishing) to impersonate trusted entities, such as technical support or IT personnel, to trick victims into granting remote access to their devices. Microsoft is currently referring to this unknown adversary group as Storm-1811. The Storm-#### naming scheme is one that Microsoft uses as a temporary name for unknown, emerging threats and groups in development.
Once they obtain access via Quick Assist, the attackers deploy various malicious tools and malware. The attack chain includes the following key stages:
- Impersonation and Vishing: Attackers impersonate IT support, contacting targets via phone and convincing them to use Quick Assist for troubleshooting.
- Remote Access: The victim initiates a Quick Assist session, granting the attacker access.
- Execution of Malicious Commands: Attackers run scripted commands to download and execute malicious payloads.
- Tool Deployment: The attackers use tools like ScreenConnect and NetSupport Manager to facilitate remote control and Qakbot and Cobalt Strike to deploy additional payloads.
- Ransomware Deployment: The attackers use PsExec to deploy the Black Basta ransomware across the network.
Recommendations
Netskope Threat Labs recommends disabling Quick Assist if you are not actively using it. Netskope SWG customers can disable Quick Assist by configuring a rule to block traffic to remoteassistance.support.services.microsoft.com
. For organiza