GoKawiilInitial access broker KongTuke has moved to Microsoft Teams for social engineering attacks, taking as little as five minutes to gain persistent access to corporate networks.
The threat actor tricks users into pasting a PowerShell command that ultimately delivers the ModeloRAT, which has been previously seen in ClickFix attacks [1, 2].
Initial access brokers (IAB) like KongTuke typically sell company network access to ransomware operators, who use it to deploy file-theft and data-encrypting malware.
Cybercriminals have increasingly adopted Microsoft Teams in attacks, reaching out to company employees and pretending to be IT and help-desk staff.
The victims are convinced to run a malicious PowerShell command on their systems, which deploys the “ModeloRAT” malware.
The PowerShell command used in the observed attacks
Source: ReliaQuest
ReliaQuest researchers observed this activity and say that it is a shift in tactics for KongTuke, who previously relied solely on web-based “FileFix” and “CrashFix” lures.
“This Teams activity, which appears to add to, rather than replace, that web-based approach, marks the first time we’ve seen KongTuke use a collaboration platform for initial access,” explains ReliaQuest.
“In the incidents we investigated, a single external Teams chat moved the operator from cold outreach to a persistent foothold in under five minutes.”
... continue reading