Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
May 16, 2024, 10:01 a.m.
Description
The report describes a recent campaign by the threat actor Storm-1811, a financially motivated cybercriminal group known for deploying Black Basta ransomware. The campaign begins with social engineering tactics like voice phishing (vishing) and email bombing to trick users into granting remote access to their devices through the Windows Quick Assist feature. Once access is gained, the attackers deploy malware like Qakbot, remote monitoring tools like ScreenConnect and NetSupport Manager, and Cobalt Strike beacons, ultimately leading to the deployment of Black Basta ransomware on compromised systems.
Date
| Published | Created | Modified |
|---|---|---|
| May 16, 2024, 9:27 a.m. | May 16, 2024, 9:27 a.m. | May 16, 2024, 10:01 a.m. |
Indicators
71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8
93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7
1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb
1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30
0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0
Attack Patterns
Black Basta - S1070
QuackBot
Pinkslipbot
QakBot - S0650
QBot
Storm-1811
T1218.005
T1053.005
T1059.003
T1059.001
T1059.007
T1071.001
T1486
T1057
T1105
T1566.001
T1133
T1059