- Trend Micro says hackers are using Microsoft Teams to get closer to their victims
- Through social engineering, they obtain credentials to remote desktop solutions
- This access is then used to drop advanced backdoors
Hackers are using advanced social engineering tactics to try and get flawed old .DLL files onto people’s computers which, in turn, would allow them to drop backdoor malware.
A new report from cybersecurity researchers Trend Micro claims the new attack starts on Microsoft Teams, where the crooks use impersonation to get close to the victims and trick them into providing a certain set of credentials. Through Quick Assist, or similar remote desktop tools, they gain access to the devices, where they sideload flawed .DLL files using OneDriveStandaloneUpdater.exe, a legitimate OneDrive update tool.
These .DLL files then allow them to drop BackConnect, a type of remote access tool (RAT) that establishes a reverse connection from an infected device to an attacker’s server, bypassing firewall restrictions. This allows attackers to maintain persistent access, execute commands, and exfiltrate data while evading traditional security measures.
Commercial cloud solutions
BackConnect is apparently hosted, and distributed, using commercial cloud storage tools.
Trend Micro says the attacks started in October 2024, and have mostly focused on North America, where it observed 21 breaches – 17 in the US, five in Canada and the UK, and 18 in Europe. The researchers didn’t say if the attacks were successful, or which industries they targeted most.
Since most of the tools used in this campaign are legitimate (Teams, OneDriveStandaloneUpdater, Quick Assist), traditional antivirus or malware protection services will not suffice. Instead, businesses must educate their employees to spot social engineering attacks and report them in a timely fashion. Businesses could also enforce the use of multi-factor authentication (MFA) and limit access to remote desktop tools.
Finally, they should audit cloud storage configurations to prevent unauthorized access, and monitor network traffic for suspicious connections, especially those going to known malicious C2 servers.
