Scammers use Microsoft's Quick Assist to take over your PC and steal your data
Microsoft recommends uninstalling Quick Assist if you're not using it
3 min. read
Published on
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more
Microsoft issued a Threat Intelligence report to signal an elaborate social engineering scam involving Microsoft’s tech support tool Quick Assist. According to the post, since mid-April 2024, a cybercriminal group named Storm-1811 has been exploiting this tool that facilitates remote assistance between users, to orchestrate attacks and deploy the notorious Black Basta ransomware.
What makes it even more worrying is that Black Basta was also signaled by CISA and FBI to be the culprit in a lot of industry organization attacks.
The Quick Assist scam is not new, but it evolved into something more elaborate, with a more complex mechanism. Some people also complained on Reddit about the same scam over a year ago, and as you will learn, the approach is similar.
How does the Storm-1811 Quick Assist scam work?
Quick Assist, typically a benign tool enabling remote support, has become a Trojan horse in the hands of Storm-1811. By masquerading as trustworthy entities such as Microsoft technical support or IT professionals, these threat actors gain unauthorized access to devices. They are using a blend of voice phishing (vishing) and the delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, and malware such as Qakbot and Cobalt Strike, setting the stage for the final act: ransomware injection.
In other words, you may receive emails or direct calls from scammers pretending to represent Microsoft. They will will offer their tech support skills to help you with alleged issues on your PC, asking you to log into a fake interface with your security code and take over your PC to fix the problem.
The narrative doesn’t end with the initial breach. Once inside, the attackers execute a series of maneuvers designed to deepen their foothold within the compromised system. They employ scripted commands to download malicious payloads, leveraging tools like Qakbot for remote access and Cobalt Strike for establishing persistence, all while masquerading their activities as legitimate operations. This meticulous preparation paves the way for the ultimate payload delivery: Black Basta ransomware, a particularly virulent strain known for its stealth and efficiency.
In their warning announcement, Microsoft says that they are enhancing Quick Assist’s security features to thwart such misuse. They’re incorporating warning messages to alert users to potential tech support scams and improving the transparency and trust between users. For those seeking to fortify their defenses, Microsoft recommends blocking or uninstalling Quick Assist if it’s not in use, alongside educating users on the hallmarks of tech support scams and the importance of vigilance.
In the face of this sophisticated threat, organizations are urged to adopt a multi-layered defense strategy. This includes educating users on recognizing and reporting phishing attempts, enabling cloud-delivered protection, and investing in advanced anti-phishing solutions.
How to protect against the Storm-1811 Quick Assist scam?
So, as with any phishing scams, it’s a matter of awareness and lucidity. If someone calls you pretending to be from the Microsoft tech support team, make sure you requested that service in the first place and certainly don’t provide anyone access to your PC.
As usual, we recommend restraining from opening unsolicited emails, downloading the contents of suspicious attachments or untrusted applications.
Have you been targeted by such emails or calls recently? Let’s talk about this in the comments below.
