Threat actors impersonate IT staff on Microsoft Teams, tricking victims into launching Windows Quick Assist, a legitimate remote assistance tool. This grants the attacker remote access within minutes, leading to redirection to a malicious webpage deploying “updater.exe,” a trojanized .NET Core executable. This program contains a loader that communicates with a command-and-control server to retrieve encryption keys and an encrypted payload. The loader decrypts the payload using a dual-layer AES-CBC and XOR method before exploiting .NET reflection to load the final assembly directly into memory. This fileless execution technique avoids detection by traditional disk-based security systems.
The infection sequence begins via a social engineering vector in which threat actors impersonate Senior IT Staff by spoofing display names in Microsoft Teams call notifications. Victims receive unexpected calls from what appears to be legitimate internal IT support personnel. The attacker leverages a carefully crafted social engineering narrative to convince the victim to launch Windows Quick Assist a legitimate remote assistance tool built into Windows operating systems.
Once the victim launches Quick Assist, the attacker gains remote access under the guise of providing technical support. Within approximately 10 minutes of establishing this foothold, the user is redirected to a malicious webpage hosted at ciscocyber[.]com/verify.php. This stage represents a critical pivot point where the attacker transitions from social engineering to technical exploitation.
The redirection leads to the deployment of “updater.exe,” a trojanized executable disguised as a legitimate Windows systems updater. The executable is constructed as a .NET Core 8.0 wrapper containing an embedded loader component designed to execute without traditional disk-based persistence. The loader.dll component orchestrates the multi-stage payload delivery mechanism. Upon execution, it establishes communication with the command-and-control infrastructure hosted at jysync[.]info to retrieve encryption keys. The loader then retrieves an encrypted payload from the same infrastructure and decrypts it using AES-CBC encryption combined with XOR obfuscation a dual-layering technique that provides an additional barrier against static analysis.
The final stage of the attack chain exploits .NET reflection capabilities to load the decrypted assembly directly into the running process memory without writing to disk. This fileless execution methodology represents a significant evasion technique, as traditional endpoint detection systems that rely on file monitoring and disk-based indicators of compromise will not capture this activity. The malware operates entirely within memory, executing arbitrary code with the privileges of the user who launched the initial Quick Assist session.
This campaign demonstrates a convergence of multiple attack vectors social engineering, abuse of legitimate administration tools, and advanced fileless execution techniques. The use of commonly trusted applications like Microsoft Teams and Quick Assist significantly lowers user suspicion and bypasses many network-level security controls. Organizations should implement email and communication monitoring systems to detect impersonation attempts, enforce strict remote assistance policies, and educate users on verifying the identity of IT support personnel before granting system access. Endpoint detection and response solutions capable of monitoring .NET runtime activity and process memory injection patterns are essential for detecting this type of fileless malware execution in network environments.
Source: Vishing Scheme Abuses Microsoft Teams And QuickAssist To Deliver Dotnet Malware
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025