general · BleepingComputer
Threat actors are conducting social engineering campaigns using Microsoft Teams to distribute EtherRAT, a Node.js-based remote access trojan. According to Palo Alto Networks' Unit 42, the attack chain begins with phishing emails containing malicious PDF attachments labeled as "Employee Survey." After the victim opens the document, an attacker calls via Microsoft Teams while impersonating corporate IT support, leveraging the "External unfamiliar" label that appears on cross-tenant calls. The attacker convinces the victim to enable screen sharing and install legitimate remote-access tools (HopToDesk, AnyDesk), then downloads a malicious MSI installer that deploys EtherRAT. The malware grants full system control, executes commands, steals data, and uses Ethereum smart contracts to retrieve command-and-control infrastructure, complicating disruption efforts. Unit 42 discovered multiple malware versions (v1–v9) on an open distribution server, indicating active campaign development.
This attack pattern has direct implications for organizations subject to CMMC, SOC2, and NIST 800-171 requirements. Defense contractors handling CUI must implement controls to detect and prevent external Teams calls from untrusted tenants and enforce multi-factor authentication on remote-access tools. SaaS providers and healthcare organizations under SOC2 and HIPAA should audit their identity and access management policies to restrict screen-sharing delegation and monitor for suspicious remote-tool installations. All regulated industries should ensure endpoint detection and response (EDR) solutions can flag unsigned MSI installers and Node.js execution anomalies. An Omniware engagement can scope your organization's vulnerability to this attack vector and map remediation to your compliance framework.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/fake-it-support-calls-on-microsoft-teams-push-etherrat-malware/
Source: BleepingComputer
All briefings