Critical Microsoft Teams Flaw Lets Attackers Hijack Accounts, Deliver ModeloRAT
Key Takeaways Attackers are exploiting Microsoft Teams to impersonate IT staff, tricking users into running PowerShell commands. This leads to the deployment of ModeloRAT, a sophisticated remote...
Key Takeaways
- Attackers are exploiting Microsoft Teams to impersonate IT staff, tricking users into running PowerShell commands.
- This leads to the deployment of ModeloRAT, a sophisticated remote access trojan that uses a portable Python environment.
- The malware exhibits advanced evasion techniques, including zero detection on VirusTotal and bypassing several EDR tools at the time of analysis.
- ModeloRAT establishes persistence via both registry run keys and stealthy scheduled tasks.
- Organizations can mitigate risk by adjusting Microsoft Teams external access settings and implementing enhanced monitoring for suspicious file and process activity.
Cybersecurity researchers have uncovered an active campaign where threat actors are leveraging compromised or fabricated Microsoft Teams accounts to target users. Posing as internal IT helpdesk personnel, these attackers aim to convince victims to execute a seemingly innocuous, obfuscated PowerShell command. This command is the gateway to a multi-stage infection, ultimately deploying the ModeloRAT (Remote Access Trojan) onto the victim’s system.
Table Of Content
ModeloRAT’s Stealthy Delivery and Evasion
The initial PowerShell command triggers the download and drop of a ZIP archive into the system’s AppData folder. This archive is then unpacked locally, initiating the ModeloRAT infection process. A key characteristic of this particular ModeloRAT variant is its use of a portable Python environment bundled within the dropped archive, alongside its malicious Python components.
Upon execution, the malware’s operations bifurcate: one branch focuses on conducting reconnaissance activities, while the other establishes communication with a remote command-and-control (C2) server. This dual-pronged approach allows the attackers to discreetly collect system information and maintain a persistent, covert connection to their infrastructure, all while minimizing indicators that might trigger standard endpoint monitoring solutions.
A significant concern highlighted by the investigation is ModeloRAT’s advanced evasion capabilities. During the analysis, collected samples registered zero detections on VirusTotal, indicating that no antivirus engines flagged the files at that time. Furthermore, the malware successfully circumvented several prominent Endpoint Detection and Response (EDR) tools, which are typically considered crucial last lines of defense in corporate environments. You can review the full report for more details.
Beyond its initial evasion, this ModeloRAT variant demonstrates sophisticated persistence mechanisms. In addition to writing itself to a standard Windows startup registry key, the malware creates a scheduled task with a randomly generated name. This tactic significantly complicates detection efforts for defenders, as the malicious task can blend in with legitimate system tasks. Moreover, this dual persistence ensures the malware’s automatic re-execution even if one of its persistence methods is discovered and removed. These techniques collectively underscore a deliberate strategy by attackers to remain undetected and operational on compromised systems for extended periods.
What You Should Do
Organizations must adopt a proactive stance to mitigate the risks associated with this type of attack. Immediate and practical steps include:
- Restrict Microsoft Teams External Access: Review and tighten Microsoft Teams external access settings. Limit or disable messages from unknown or unverified external tenants to prevent attackers from directly contacting employees. This serves as a critical first line of defense.
- Monitor for Suspicious Downloads: Configure alerts for downloads from cloud storage services like Dropbox on corporate devices, especially if there’s no legitimate business need for such external file access.
- Monitor AppData for ZIP Extraction: Implement monitoring for ZIP file extraction activities within AppData directories, a common staging area for this malware.
- Track Python Executables in User Paths: Set up detection rules for unusual instances of
pythonw.exerunning from user-writable paths, particularly withinAppData. This can help identify the portable Python environment utilized by ModeloRAT. - Audit Persistence Mechanisms: Regularly review newly registered scheduled tasks and changes to registry run keys to detect and neutralize persistence attempts before they become entrenched.
Indicators of Compromise (IoCs)
For defenders, the following Indicators of Compromise (IoCs) can aid in detection and prevention:
| Type | Indicator | Description |
|---|---|---|
| IP Address | 45[.]61[.]136[.]94 | Observed ModeloRAT C2 server |
| IP Address | 64[.]95[.]10[.]14 | Observed ModeloRAT C2 server |
| IP Address | 64[.]95[.]12[.]238 | Observed ModeloRAT C2 server |
| IP Address | 64[.]95[.]13[.]76 | Observed ModeloRAT C2 server |
| IP Address | 162[.]33[.]179[.]149 | Observed ModeloRAT C2 server |
| File Path | %APPDATA%WPy64-31401 | Malware execution directory containing portable Python environment |
| Process | pythonw.exe | Portable Python used to execute malicious components from AppData |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.