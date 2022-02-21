Security researchers from Avanan (a Check Point company) have warned about some attackers they are compromising Microsoft Teams accounts to then sneak into chats and spread malicious executables to those who are participating in the conversation.

What they have discovered is that a group of hackers started dropping malicious executable files in conversations on the Microsoft Teams communication platform. The attacks began in January, although they have not been reported until today.

The attacker inserts an executable file into a chat called “User Centric” to cheat the user to run it. The user can trust this link because it comes from a known contact.

This is what the Trojan does once it is executed





Once executed, the malware writes data to the system registry, install DLLs and establish their persistence on the Windows machine. Hackers attach .exe files to Teams chats to install a Trojan horse on the end user’s computer. The Trojan is then used to install malware.

Vector: Microsoft Teams Type: Malicious Trojan File Techniques: .exe files Target: Any end user

“In this attack on computers, hackers attach a malicious Trojan document to a conversation. When clicked, the file ends up taking control of the user’s computer“, specify from Avanan.

It should be said that for now it is not easy to stop these attackers since the method used to access Teams accounts “is still not clear, but some possibilities include credential theft for email or Microsoft 365 via phishing” or that a company or organization associated with users may have been compromised.

Once installed, this Trojan can collect detailed information about the operating system and the hardware it runs on, along with the security status of the machine based on the OS version and patches installed. A serious problem that they see from Avanan is that after analyzing data from hospitals that use Teams, they have discovered that “doctors use the platform to share medical information without restrictions”, and this could fall into the wrong hands that could lead to worse attacks.

Additionally, Teams offers external and guest access capabilities that allow collaboration with people outside the company. Avanan says that these invitations are usually attended with minimal supervision.

In addition to having protection on PCs so that when they download files there is a sandbox that analyzes the files, it encourages users to inform the dIT department when they see an unknown file.