An ongoing cyber-trickery situation called VEILDrive has been caught using some of Microsoft's big-name tools like Teams, SharePoint, Quick Assist, and OneDrive to pull off its shady moves.
This cool little discovery was made by an Israeli cybersecurity squad, Hunters, in their latest report. They said the bad guys exploited these trustworthy services to spread sneaky emails and keep their nasty malware safe. This clever cloud-based plan meant they could dodge the usual security systems like a pro.
Hunters stumbled upon this party in September 2022 when they were helping out a really important company in the US, let's call it "Org C," deal with some cyber drama. The shenanigans had actually started a month earlier.
So, what's the deal with VEILDrive? Well, it's like a digital ninja that uses a combo of Team messages and Quick Assist to pretend to be part of the IT crew, asking for access to people's computers. But here's the kicker: they didn't just make up a new email account, they borrowed one from someone else (we'll call them Org A) who'd already been fooled.
They sent a SharePoint link to a ZIP file named "Client_v8.16L.zip" that had some extra baggage—a tool called LiteManager. This tool is like a digital backdoor that lets the attackers spy on you and control your computer without you even knowing it.
But wait, there's more! They also dropped another ZIP file named "Cliento.zip," which had some Java malware inside. It's like a VIP pass to an enemy's server via OneDrive, using some secret login info that's hard to spot. If that doesn't work, no biggie, it's got a plan B: a secret handshake with a faraway virtual machine to get commands.
This isn't the first time Quick Assist has been used for no-good purposes. Back in May, Microsoft had to give a heads-up about some money-hungry cyber crooks called Storm-1811 who used it to sneak in and leave behind a nasty ransomware present called Black Basta.
And just a couple of weeks ago, the tech giant warned us that some sneaky folks have been using SharePoint, OneDrive, and Dropbox to hide their tracks while doing their dirty work.
What's so unique about this malware is that it's like the boy scout of cyber threats—always prepared with a clear, uncomplicated design that makes it easy to spot. It doesn't try to be all mysterious and hidden.
Using these popular services to hide their tracks is a slick move on the attacker's part because it makes it super tough for the usual security systems to catch them in the act. It's like hiding in plain sight, but with a digital twist. So, keep your eyes peeled and your computers safe!