Malware

Attackers use Microsoft Teams voice calls to deliver EtherRAT malware

Privacy concept: pixelated words Malware on digital background, 3d render

Based on information from Bleeping Computer, threat actors are impersonating IT support staff via Microsoft Teams voice calls to trick employees into installing the EtherRAT malware, gaining initial access to corporate networks.

The campaign, detailed by Palo Alto Networks' Unit 42, begins with a phishing email containing a malicious PDF. After the victim opens the document, an attacker, posing as a "System Administrator" from an external Microsoft Teams account, initiates a voice call. The attacker convinces the victim to grant remote control using Teams' screen-sharing feature and guides them to install legitimate remote access tools like HopToDesk or AnyDesk. Once remote access is established, the attackers download and execute a malicious MSI installer that loads EtherRAT, a cross-platform remote access trojan.

EtherRAT can execute commands, steal data, and maintain persistence, using Ethereum smart contracts for command-and-control servers. This method follows a trend of attacks abusing Microsoft Teams, with previous campaigns targeting financial and healthcare organizations and impersonating helpdesk personnel. Microsoft has responded by adding warnings for external callers and chats and implementing new policies to place suspected third-party bots in the meeting lobby.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds