Based on information from Bleeping Computer, threat actors are impersonating IT support staff via Microsoft Teams voice calls to trick employees into installing the EtherRAT malware, gaining initial access to corporate networks.The campaign, detailed by Palo Alto Networks' Unit 42, begins with a phishing email containing a malicious PDF. After the victim opens the document, an attacker, posing as a "System Administrator" from an external Microsoft Teams account, initiates a voice call. The attacker convinces the victim to grant remote control using Teams' screen-sharing feature and guides them to install legitimate remote access tools like HopToDesk or AnyDesk. Once remote access is established, the attackers download and execute a malicious MSI installer that loads EtherRAT, a cross-platform remote access trojan.EtherRAT can execute commands, steal data, and maintain persistence, using Ethereum smart contracts for command-and-control servers. This method follows a trend of attacks abusing Microsoft Teams, with previous campaigns targeting financial and healthcare organizations and impersonating helpdesk personnel. Microsoft has responded by adding warnings for external callers and chats and implementing new policies to place suspected third-party bots in the meeting lobby.Source: Bleeping Computer




