Microsoft Teams Vulnerability Lets Attackers Install RMM Tools and EtherRAT
Key Takeaways Cybercriminals are exploiting Microsoft Teams through social engineering and fake IT support calls to deploy EtherRAT malware. The attack begins with a phishing email, leading to a...
Key Takeaways
- Cybercriminals are exploiting Microsoft Teams through social engineering and fake IT support calls to deploy EtherRAT malware.
- The attack begins with a phishing email, leading to a Teams call where attackers persuade victims to enable screen sharing and install legitimate remote access tools.
- EtherRAT, a cross-platform remote access trojan, uses Ethereum smart contracts for C2 server communication, making takedown difficult.
- This campaign highlights a growing trend of adversaries leveraging trusted collaboration platforms for sophisticated malware delivery.
Attackers Leverage Microsoft Teams for EtherRAT Deployment
In a sophisticated new campaign, threat actors are weaponizing Microsoft Teams calls to bypass enterprise defenses and install a potent new remote access trojan (RAT) known as EtherRAT. This operation meticulously blends social engineering with the use of legitimate remote support software, making the intrusion appear as a routine IT support interaction rather than a cyberattack.
Table Of Content
The attack sequence commences with a phishing email that employs an “Employee Survey” as bait, containing a malicious PDF attachment. Upon opening this file, the unsuspecting target receives an unsolicited Microsoft Teams voice call from an individual purporting to be a “System Administrator.” Although Teams flags the call with an “External unfamiliar” label due to the caller originating from an outside Microsoft 365 tenant, many users often overlook this crucial warning.
Researchers from Palo Alto Networks’ Unit 42, whose findings were published on GitHub analysts said in a report, noted that the attacker’s account was linked to a domain specifically crafted to mimic a legitimate helpdesk address. This subtle detail significantly enhances the credibility of the impersonation, encouraging victims to engage further in the call.
Once the victim answers, the attacker skillfully manipulates them into activating Teams’ built-in screen sharing feature, thereby granting remote control over the device. Subsequently, the caller guides the victim through the installation of what appear to be legitimate remote access tools. This critical step solidifies the attacker’s foothold, masquerading the intrusion as a standard technical support procedure.
The EtherRAT Payload and Its Unique C2 Mechanism
With remote access firmly established, the attacker proceeds to download and execute a malicious MSI installer. This installer surreptitiously fetches a genuine Node.js runtime onto the compromised machine. It then decrypts hidden payloads embedded within itself, ultimately launching the EtherRAT malware. The reliance on authentic software components during the loading process often allows the activity to evade detection by many endpoint security solutions.
EtherRAT is a cross-platform remote access trojan, developed entirely in Node.js, which affords it considerable flexibility across various operating systems. Once deployed, it can execute commands, manage and manipulate files, exfiltrate sensitive data, and maintain persistent access to the infected system. A particularly distinctive feature of EtherRAT is its use of Ethereum smart contracts to retrieve the address of its command and control (C2) server. This innovative method significantly complicates takedown efforts for cybersecurity defenders.
Researchers have observed EtherRAT in previous state-sponsored operations, where it exploited a separate critical vulnerability. Its more recent appearance across a broader spectrum of criminal groups suggests that the tool is being disseminated or sold beyond its original operators. Unit 42’s investigation also uncovered an open directory on the attacker’s distribution server containing nine distinct versions of the installer, indicative of active and continuous development of the malware.
Persistent Threat of Fake Helpdesk Schemes
This incident is not isolated; Microsoft Teams has consistently been a target for impersonation schemes over the past year. Earlier campaigns involved spam emails followed by Teams contact, with attackers posing as internal IT staff to deliver various malware families. Microsoft itself has issued warnings to organizations regarding the increasing use of external Teams accounts by attackers impersonating helpdesk personnel to gain unauthorized remote access.
In response, Microsoft has implemented several protective measures, including more prominent warnings for calls and chats originating from external tenants. A new administrative policy also automatically places suspected third-party bots into a meeting lobby until an organizer manually approves them. Security teams are strongly advised to restrict external Teams communication where feasible, educate employees to verify IT requests through independent channels, and monitor for unexpected remote access software installations, as these steps directly counter the tactics observed in this campaign.
Organizations must treat any unsolicited IT support call, particularly those received via collaboration platforms, with the same level of skepticism as an unexpected phone call from a stranger claiming to be from a financial institution. The most straightforward and effective defense remains verifying all requests through a known, internal communication channel before granting any form of remote access.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| Email/Account | [email protected][.]com | External Teams account used to impersonate IT support |
| Domain | camorreado[.]click | Distribution server hosting the malicious MSI installer |
| File | v7.msi | Malicious MSI installer that loads Node.js runtime and EtherRAT payload |
| File (related) | v1.msi through v9.msi | Multiple installer versions found on an open distribution directory, indicating active development |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
What You Should Do
- Educate Employees: Conduct regular training on identifying phishing attempts, especially those involving unsolicited IT support requests via collaboration platforms like Microsoft Teams.
- Verify IT Requests: Establish and enforce a policy requiring employees to verify any IT support requests through known, internal channels (e.g., a specific helpdesk ticketing system or internal phone number) before granting remote access or installing software.
- Restrict External Communications: Configure Microsoft Teams and other collaboration tools to restrict or clearly flag communications from external tenants, and evaluate policies for external guest access.
- Monitor for Suspicious Software: Implement and actively monitor endpoint detection and response (EDR) solutions for unauthorized installations of remote access tools or unusual software execution, particularly after a remote session.
- Review Microsoft Teams Security Settings: Ensure that all available security features and policies within Microsoft Teams, such as those related to external users and bot management, are optimally configured to minimize risk.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.