Microsoft Teams Vishing Leads To Teamviewer-Based Malware Deployment

In early 2025, a sophisticated social engineering campaign was discovered exploiting Microsoft Teams for vishing-based initial access, followed by the abuse of remote assistance tools and the deployment of stealthy malware. This campaign illustrates the evolving threat landscape where trusted communication and remote support platforms are leveraged to bypass traditional defenses.

Severity Level: High

THREAT DETAILS

Threat Actor: The tactics observed in this campaign align closely with Storm-1811, a threat actor tracked by Microsoft known for vishing, Quick Assist abuse, and social engineering-based initial access.

Attack Chain & Techniques

1. Initial Access
   o Social engineering via Microsoft Teams: Threat actors sent a malicious PowerShell command via external Teams chat.
   o Vishing attack: Attackers called victims, impersonating IT support, and convinced them to execute the payload.
   o Remote access via Quick Assist: The attacker gained interactive access after successful social engineering.
2. Execution & Payload Delivery
   o A malicious PowerShell script downloaded a ZIP file from a suspicious IP.
   o Extracted ZIP file contained signed TeamViewer.exe (legitimate binary).
   o DLL sideloading via TV.dll to execute malicious code stealthily.
   o AutoHotkey-based execution suggests potential script automation.
3. Persistence & Evasion
   o Startup folder persistence using GPU_Scv_Pack.lnk.
   o Background Intelligent Transfer Service (BITS) jobs leveraged for payload retrieval and execution.
   o Process injection: PowerShell initiated PING.exe, which injected malicious code into dllhost.exe
4. Discovery & Lateral Movement
   o Use of WMI queries for system reconnaissance.
   o Execution of nltest.exe to map domain controllers and trust relationships.
5. Credential Access & Exfiltration
   o Harvesting browser-stored credentials, storing them in a local SQL database for later exfiltration.
6. Command & Control (C2)
   o TeamViewer.exe dropped a second-stage payload hcmd.zip, which extracted and executed hcmd.exe (disguised Node.js executable).
   o The Node.js-based C2 backdoor (index.js) established communication with the attacker’s infrastructure.

Recommendations:

1. Conduct regular security awareness training on Microsoft Teams phishing and vishing scams.
2. Train users to verify unexpected IT support requests before engaging with remote assistance tools.
3. Disable Quick Assist, TeamViewer, and other remote tools unless explicitly required.
4. Implement application control policies to prevent unauthorized installations.
5. Enable PowerShell script logging (ModuleLogging, ScriptBlockLogging).
6. Block execution of obfuscated or unsigned PowerShell scripts.
7. Implement Windows Defender Attack Surface Reduction (ASR) rules to block:
8. DLL execution from user-writable directories.
9. Untrusted and unsigned processes from loading system DLLs.
10. Monitor BITS job creation logs (Microsoft-Windows-Bits-Client/Operational).
11. Block untrusted processes from initiating BITS downloads.
12. Enforce MFA for all remote access (Teams, VPN, remote desktop).
13. Block the IOCs at their respective controls

SOURCES:

• https://www.virustotal.com/gui/collection/8dacd967f874c7e0eba399719d6eec301c490c3f4a4fdfced78cb46548c47cc1/iocs
• https://www.ontinue.com/resource/blog-signed-sideloaded-compromised/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.