According to Bleeping Computer, hackers were observed operating FakeUpdates campaigns using Microsoft Teams updates as a lure to target educational organizations. They were using several variations of the same theme with different threat vectors.

The hackers used Predator the Thief infostealer as an initial payload, along with Bladabindi (NJRat) backdoor and ZLoader stealer.

In addition, they used Cobalt Strike to compromise the rest of the network. In some instances, hackers used the IP Logger URL shortening service, signed binaries, and various second-stage payloads. To increase the credibility, along with payloads distribution, clicking on the link installed a legitimate copy of Microsoft Teams on the system. A paid search engine ad, moreover, aggravated the payload distribution by pointing to a domain under hackers’ control for Teams software.

Recent attacks on Microsoft Teams In the last month, hackers had impersonated an automated message from Microsoft Teams to steal the recipient’s login credentials. In multiple connected phishing campaigns, attackers were seen spoofing well-known applications in an attempt to evade detection.

“The lucrative education sector Recently, cyber attackers had managed to get access to the systems of Scotland’s Dundee and Angus College and demanded a ransom. The DoppelPaymer crew had compromised Newcastle University students’ data in September and leaked onto the dark web in November. In addition, a cybersecurity incident had shut down the systems of Saskatchewan Polytechnic.

https://cyware.com/news/hackers-planting-fake-ads-for-microsoft-teams-updates-868675a7