Itdaily - Attackers abuse Microsoft Teams to install EtherRAT malware

Attackers abuse Microsoft Teams to install EtherRAT malware

microsoft teams

Cybercriminals install malware by deceiving Teams users and taking over their systems.

Cybercriminals are abusing Microsoft Teams calls to impersonate IT staff and convince employees to install malicious software. The attack ultimately leads to the installation of EtherRAT, a sophisticated remote access trojan that allows attackers to gain full control over a system.

According to researchers at Palo Alto Networks, the attack begins with a phishing email supposedly containing an employee survey. The email includes a malicious PDF attachment. If the victim opens it, they receive a Teams call from someone posing as a system administrator or helpdesk employee.

Legitimate tools abused

During the call, the attackers convince the victim to allow screen sharing via Microsoft Teams. They then have the user install legitimate remote support programs, such as HopToDesk or AnyDesk.

Once remote access is active, the attackers download a malicious MSI file that installs a Node.js runtime and subsequently activates EtherRAT. This malware offers extensive capabilities, including executing commands, stealing files, modifying data, and maintaining permanent access to the device.

Microsoft further tightens Teams security

The abuse of Microsoft Teams by cybercriminals has been increasing in recent months. Earlier this year, similar campaigns were discovered where attackers used Teams to pose as internal IT staff to get victims to start Quick Assist sessions. Through this method, they subsequently installed malware or scouted corporate networks.

Microsoft has therefore added several extra security measures to Teams. For instance, users receive warnings when contacted by external accounts, and administrators can automatically place suspicious external bots in a meeting lobby until an organizer explicitly approves access.