A campaign reported by Palo Alto Networks' Unit 42 combines phishing emails with Microsoft Teams voice calls impersonating corporate IT support to trick employees into installing EtherRAT malware. The attack begins with a phishing email containing an employee survey lure and malicious PDF attachment, followed by a Teams voice call from an external account posing as a system administrator. The attacker convinces the victim to grant remote control through Teams' screen-sharing feature and guides them through installing legitimate remote-access tools like HopToDesk and AnyDesk, then downloads a malicious MSI installer that decrypts embedded payloads and launches EtherRAT.
EtherRAT is a cross-platform Node.js-based remote access trojan that provides attackers with full system control, command execution, data theft, and persistence, using Ethereum smart contracts to retrieve its command-and-control server and evade disruption. Unit 42 discovered an open directory containing multiple versions of the malware installers, indicating active development. This follows a growing pattern of Teams abuse, including a March campaign delivering A0Backdoor to financial and healthcare organizations and Microsoft's warning about impersonation attacks using remote access tools.
Microsoft has added new protections including warnings identifying external callers and chats, and an administrator policy that automatically places suspected third-party bots into meeting lobbies for manual approval. External accounts used in the attack displayed the label indicating they belonged to a different Microsoft 365 tenant. The campaign demonstrates how attackers combine social engineering with legitimate tools and malware loaders to gain initial access to corporate networks. EtherRAT was previously used in state-sponsored attacks exploiting the React2Shell vulnerability.
Read more...
