- Trend Micro says that computer pirates are using Microsoft equipment to approach their victims
- Through social engineering, they obtain credentials to remote desktop solutions
- This access is used to release advanced rear doors
Computer pirates are using advanced social engineering tactics to try to have old .DLL files in people who, in turn, allow them to release rear door malware.
A new report by cybersecurity researchers tendency to micro states that the new attack begins in Microsoft teams, where Crooks use impersonation to approach the victims and deceive them to provide a certain set of credentials. Through fast assistance, or similar remote desktop tools, they get access to the devices, where the defective.
These .DLL files then allow them to retreat, a type of remote access tool (rat) that establishes an inverse connection of a device infected to the server of an attacker, without going through Firewall’s restrictions. This allows attackers to maintain persistent access, execute commands and exfilter data while evading traditional security measures.
Commercial solutions in the cloud
Backconnect is apparently lodged and distributed, using commercial cloud storage tools.
Trend Micro says that the attacks began in October 2024, and have focused mainly on North America, where he observed 21 infractions: 17 in the United States, five in Canada and the United Kingdom, and 18 in Europe. The researchers did not say if the attacks were successful, or what industries they headed more.
Since the majority of the tools used in this campaign are legitimate (teams, OneDriveStandaloneupdater, rapid assistance), traditional antivirus or malware protection services will not be enough. Instead, companies must educate their employees to detect social engineering attacks and inform them in a timely manner. Companies could also impose the use of multifactor authentication (MFA) and limit access to remote desktop tools.
Finally, they must audit cloud storage configurations to avoid unauthorized access and monitor network traffic to obtain suspicious connections, especially those that will serve Malicious c2 known.
Via Magazine Infosecurity
