Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Scammers use Microsoft’s Quick Assist to take over your PC and steal your data
Microsoft recommends uninstalling Quick Assist if you’re not using it
3 min. read
Published onMay 16, 2024
published onMay 16, 2024
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
Microsoft issued aThreat Intelligence reportto signal an elaborate social engineering scam involving Microsoft’s tech support tool Quick Assist. According to the post, since mid-April 2024, a cybercriminal group named Storm-1811 has been exploiting this tool that facilitates remote assistance between users, to orchestrate attacks and deploy the notorious Black Basta ransomware.
What makes it even more worrying is that Black Basta was alsosignaled by CISA and FBIto be the culprit in a lot of industry organization attacks.
The Quick Assist scam is not new, but it evolved into something more elaborate, with a more complex mechanism. Some people alsocomplained on Redditabout the same scam over a year ago, and as you will learn, the approach is similar.
How does the Storm-1811 Quick Assist scam work?
Quick Assist, typically a benign tool enabling remote support, has become a Trojan horse in the hands of Storm-1811. By masquerading as trustworthy entities such as Microsoft technical support or IT professionals, these threat actors gain unauthorized access to devices. They are using a blend of voice phishing (vishing) and the delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, and malware such as Qakbot and Cobalt Strike, setting the stage for the final act: ransomware injection.
In other words, you may receive emails or direct calls from scammers pretending to represent Microsoft. They will will offer their tech support skills to help you with alleged issues on your PC, asking you to log into a fake interface with your security code and take over your PC to fix the problem.
The narrative doesn’t end with the initial breach. Once inside, the attackers execute a series of maneuvers designed to deepen their foothold within the compromised system. They employ scripted commands to download malicious payloads, leveraging tools like Qakbot for remote access and Cobalt Strike for establishing persistence, all while masquerading their activities as legitimate operations. This meticulous preparation paves the way for the ultimate payload delivery: Black Basta ransomware, a particularly virulent strain known for its stealth and efficiency.
In their warning announcement, Microsoft says that they are enhancing Quick Assist’s security features to thwart such misuse. They’re incorporating warning messages to alert users to potential tech support scams and improving the transparency and trust between users. For those seeking to fortify their defenses, Microsoft recommends blocking or uninstalling Quick Assist if it’s not in use, alongside educating users on the hallmarks of tech support scams and the importance of vigilance.
In the face of this sophisticated threat, organizations are urged to adopt a multi-layered defense strategy. This includes educating users on recognizing and reporting phishing attempts, enabling cloud-delivered protection, and investing in advanced anti-phishing solutions.
How to protect against the Storm-1811 Quick Assist scam?
So, as with any phishing scams, it’s a matter of awareness and lucidity. If someone calls you pretending to be from the Microsoft tech support team, make sure you requested that service in the first place and certainly don’t provide anyone access to your PC.
As usual, we recommend restraining from opening unsolicited emails, downloading the contents of suspicious attachments or untrusted applications.
Have you been targeted by such emails or calls recently? Let’s talk about this in the comments below.
More about the topics:Cybersecurity,microsoft,Windows
Claudiu Andone
Windows Toubleshooting Expert
Oldtimer in the tech and science press, Claudiu is focused on whatever comes new from Microsoft.
His abrupt interest in computers started when he saw the first Home Computer as a kid. However, his passion for Windows and everything related became obvious when he became a sys admin in a computer science high school.
With 14 years of experience in writing about everything there is to know about science and technology, Claudiu also likes rock music, chilling in the garden, and Star Wars. May the force be with you, always!
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Claudiu Andone
Windows Toubleshooting Expert
Oldtimer in the tech and science press, with 14 years of experience in writing on everything there is to know about science, technology, and Microsoft
