High-profile ransomware group Black Basta is turning to malicious QR codes in Microsoft Teams chat messages to gain initial access to a victim’s system, embracing what is becoming an increasingly popular social engineering tool used by threat actors.
Black Basta, which came on the scene in 2022 and also operates as a ransomware-as-a-service (RaaS) enterprise, previously overwhelmed users with spam emails, which led them to create a legitimate help-desk ticket asking to fix the issue. The bad actor – posing as the help desk – would then contact the end user about the ticket and work their way into the system.
However, recent incidents revealed that the attackers have started to use Microsoft Teams. Microsoft has the largest channel partner community in the world with MSPs and MSSPs providing assistance with Office 365 including Teams and with security tools such as Microsoft Defender. The Microsoft Teams chat messages have been used by the threat group to communicate with their targets including QR codes for initial access, according to cybersecurity firm ReliaQuest’s threat research team.
“The underlying motivation is likely to lay the groundwork for follow-up social engineering techniques, convince users to download remote monitoring and management (RMM) tools, and gain initial access to the targeted environment,” team members wrote in a report. “Ultimately, the attackers’ end goal in these incidents is almost certainly the deployment of ransomware.”
It’s a significant threat, they wrote. Black Basta or its affiliates are targeting companies in a wide variety of sectors worldwide with what team members called “alarming intensity,” noting that in one incident, they saw about 1,000 emails crashing down on a single user during a 50-minute timeframe. Looking at commonalities in domain creation and Cobalt Strike configurations, the researchers said they attribute the attacks “with high confidence” to Black Basta.
Bad Actors Follow Popularity of QR Codes
QR codes, those small boxes with the strange black-and-white patterns that people focus their smartphone cameras on to get information like restaurant menus and product prices – are nothing new, having been around for more than three decades. However, their use – and people’s familiarity with them – has skyrocketed since the COVID-19 pandemic began, when businesses turned to them as contactless ways to give people information.
Bad actors have followed the trend and are using malicious QR codes in phishing scams – known as “quishing” – and other attacks to install malware on end users’ devices and steal credentials. In a report earlier this year outlining ways QR codes are being used by cybercriminals, Jeremy Fuchs, cybersecurity researcher and analyst at Check Point, wrote that QR code scams may be “simple,” but are “successful as many email security solutions didn’t have QR code protection and many end-users are used to scanning QR codes.”
QR code-based attacks also grabbed the attention of government agencies with the Federal Trade Commission late last year issuing a consumer alert about the scams.
First, Mass Email Spam
In incidents in October, ReliaQuest found that Black Basta attackers followed mass email spam events by adding targeted users to Teams chats with external users operating from Entra ID tenants they created to appear as though they were part of supports, admin, or help-desks teams.
The external user profiles were “designed to make the targeted user think they were communicating with a helpdesk account. In almost all instances we’ve observed, the display name included the string ‘Help Desk,’ often surrounded by whitespace characters, which is likely to center the name within the chat. We also observed that, typically, targeted users were added to a ‘OneOnOne’ chat.” ReliaQuest researchers wrote that most external users came from Russia, based on the time zone data logged by Teams that featured Moscow.
In addition, some incidents involved threat actors using Microsoft’s Quick Assist feature in Windows for the bogus support sessions rather than AnyDesk. Those targeted users were also sent QR codes within the chats that looked like legitimate QR code images from branded companies.
A Highly Connected World
The use of QR codes in cyber-scams is another indication of how interconnected people’s lives are, according to Mayuresh Dani, manager of security research, at Qualys’ Threat Research Unit.
“Enterprises have been using updated email filters to weed out malicious emails,” Dani told MSSP Alert. “However, with these attacks, [threat actors] just need to make sure that the QR code is delivered to the targeted user. Once delivered, there are high chances that the user will whip out a phone and point to the QR code to visit the embedded link.”
It’s exacerbated because phones are personal devices that lack enterprise-grade protection that comes with other systems like laptops. In addition, like URLs, QR codes inherently do not show the endpoint they lead users to, he said.
The Gatekeepers
MSSPs and MSPs play an important gatekeeping role in identifying and blocking malicious QR codes and social engineering attempts before they reach end users, Stephen Kowski, field CTO at SlashNext Email Security+, told MSSP Alert.
A survey by Kaseya of MSPs found that email security was requested by 15% of customers, second only behind cloud migration at 22%.
“The most effective protection comes from combining continuous security monitoring with comprehensive employee training programs that specifically address new threats like QR code manipulation while also deploying advanced endpoint protection solutions that can detect and prevent unauthorized access attempts,” Kowski said. “Real-time threat detection powered by AI and machine learning, coupled with rapid incident response capabilities, helps organizations stay protected against these sophisticated social engineering tactics.”
