Quick Assist, the new weapon for hackers to take control of your computers

In an ongoing ransomware campaign since mid-April, Microsoft indicated that hackers were using the Windows 10 and 11 remote device takeover tool, Quick Assist, to widely deploy Black Basta malware.

Sometimes the cure is worse than the disease. This is undoubtedly what the victims of Black Basta said to themselves, this malware installed without their knowledge via Quick Assist or Assistance Rapide, the remote access software for Windows 10 and 11.

Disguised as technical assistance, cybercriminals from the gang nicknamed Storm-1811, abuse users’ trust to take control of their systems and spread their devastating ransomware. Microsoft has sounded the alert and detailed this new modus operandi worrying, which reveals once again that hackers no longer doubt anything.

The ingenious ploy of voice phishing

We now know that cyberhackers are overtrained in the most sophisticated attack techniques, whether they use AI or not. To deploy Black Basta, they started with a phishing campaign targeting users, who are bombarded with spam emails. The unfortunate victims who have taken the bait are then contacted by telephone, the hackers posing as a legitimate technical support service (we also know their persuasiveness if they are good actor). With strong arguments, they convince the user to authorize remote control via Quick Assist to “solve” a so-called problem.

The manipulation relies on a keyboard shortcut and a code provided by the scammer. Once these elements are entered, the user finds themselves sharing their screen and giving full access to their system. A simple click is then enough for the hacker to request and obtain full control rights. From there, the victim witnesses, before their eyes and without being able to act, the deployment of the Black Basta malware within their entire company network. All as if it were she who was acting. For their part, hackers have unlimited access allowing them to install highly sophisticated malware such as the Qakbot Trojan or the Cobalt Strike attack tool.

Black Basta, the ransomware that wreaks havoc

Once access has been established, the Storm-1811 hackers proceed with the massive deployment of their lethal weapon: Black Basta ransomware. A powerful cryptovirus, it encrypts the data of infected systems and demands a huge ransom to unlock them. The PsExec tool allows Black Basta to spread faster than its shadow throughout the victim’s company network. In certain cases, the personal data of employees and individuals are indirectly compromised, leading to an incalculable number of collateral victims.

Faced with this scourge, Microsoft is going on the counterattack. The Redmond giant plans to strengthen Quick Assist’s warnings and transparency to warn against these tech support scams. Companies are also encouraged to block or uninstall this utility if it is not essential, further reducing the attack surface. At the same time, Microsoft is sharing compromise clues and detection queries to help customers identify any suspicious activity related to this malicious campaign. Clubic joins this advice, recommending that employees or individuals always ensure, before granting remote control access to their device, that a malfunction has indeed occurred within the structure. And, of course, to check that the software proposed by the interlocutor is indeed the same as that usually used by the IT department. Finally, it is always advisable to keep protection systems up to date.

Source : The Register, Microsoft