Hackers are targeting Windows Quick Assist features as part of a campaign to conduct ransomware attacks, Microsoft has warned in a new threat intelligence report.
Since mid-April 2024, the tech giant has observed the Storm-1811, a financially motivated threat actor, using social engineering tactics to trick users into granting them access to their device through Quick Assist.
Quick Assist is a remote access tool used to share access to Windows devices to troubleshoot technical issues, based on the remote desktop protocol (RDP).
Microsoft’s advisory warned the attack chain begins with an email-bombing attack, where the hackers sign up the target’s email to multiple email subscription services which flood their inbox with subscribed content.
The attackers then target the user with a voice phishing attack (vishing), in which they claim to be IT support from the affected company offering to help them fix their spam issue.
During the call, threat actors try to manipulate the victim into giving them access to their device through Quick Assist. Microsoft warned that the victim only needs to follow a few of the attacker’s instructions before they can execute code on the target device.
First the threat actor gets the user to open Quick Assist with the CTRL + Windows + Q keyboard shortcut, after which they are prompted to enter a security code provided by the attacker.
The user is then shown a dialog box asking for permission to share their screen, once accepted the threat actor can request control through the Quick Assist system.
If control is granted, the attacker gets to work deploying various malware strains to escalate their privileges on the system.
The attacker runs a script to download a batch of files, including remote monitoring and management tools (RMM) as well as the Qakbot malware, which is used to deliver other malicious payloads such as Cobalt strike.
After installing the initial tooling required for the attack, the threat actor can simply terminate the call and use the command line tool PsExec to deploy the Black Basta ransomware.
Black Basta is described as a ‘closed ransomware offering’, in contrast to frequently deployed ransomware as a service (RaaS) tool, and is distributed by a small number of threat actors.
Microsoft’s report noted the link between Black Basta ransomware attacks and the use of the Qakbot remote access trojan (RAT), advising organizations to look out for evidence of the malware in order to catch an attack in its early stages, before any ransomware is deployed.
“Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from Qakbot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat.”
In addition to exploiting Quick Assist to gain initial access, the attack chain leverages other RMM tools such as ScreenConnect and NetSupport Manager to establish persistence and move laterally on the network, as well as maintain control over the compromised device.
Windows Quick Assist attacks are just the tip of the iceberg
The security advisory from Microsoft follows a growing trend of attackers exploiting remote desktop access software to carry out attacks.
With the advent of hybrid working models, remote access tools have become pervasive across corporate networks, and their level of access makes them useful tools for attackers if they can successfully exploit them.
In February 2024, a Trend Micro report found two high severity vulnerabilities in ConnectWise’s ScreenConnect product were being actively exploited by threat actors in the wild.
Similarly, Huntress issued a report in January 2024 on another popular remote access tool, TeamViewer, that was being used in a ransomware campaign to breach devices and deploy the Surprise ransomware.
RELATED WHITEPAPER
It was unclear at the time whether the attackers were exploiting a vulnerability in the TeamViewer software to gain unauthorized access to the target devices, or whether they were able to legitimately access the system using stolen credentials.
In the case of Quick Assist, the attackers did not even need to leverage security flaws in the tool itself, but use it as it was intended for malicious purposes.
As a result, Microsoft recommends users consider blocking or uninstalling Quick Assist and other remote management tools if they are not being actively used in your environment.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
Confused at all the threat group names? You’re not alone. CrowdStrike and Microsoft want to change thatNews CrowdStrike and Microsoft hope to "bring clarity and coordination" to the cyber industry by unifying threat group naming conventions.
-
A flaw in OneDrive’s File Picker feature could give access to hundreds of appsNews The OneDrive File Picker flaw could affect hundreds of apps, researchers warn
-
Microsoft ramps up zero trust capabilities amid agentic AI pushNews The move from Microsoft looks to bolster agent security and prevent misuse
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
-
Hackers are using this new phishing technique to bypass MFANews Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
