Microsoft Teams continues to grow in popularity and has become one of the trusted means for remote communications. As this popularity grows with businesses, so too has it with hackers. Hackers are continuing to increase how often they target Teams and using it as a starting point for phishing and malware attacks. As seen by Avanan, this iteration of this specific attack involves attackers attaching .exe files to Teams chats. The name of the file is currently “UserCentric.exe,” but that can be easily changed into another generic and innocuous-sounding label. Once downloaded and run, the executable writes data to the Windows registry, installs DLL files, and creates shortcut links that allow the program to self-administer. In effect, it allows attackers to take control over the victim’s computer.
Stated in the Avanan report, hackers are attaching .exe files to Teams chats to install a Trojan virus on the end-user’s computer. The virus is then used to install malware.
- Vector: Microsoft Teams
- Type: Malicious Trojan File
- Techniques: .exe files
- Target: Any end-user
Many things make this type of attack possible. The malware apparently has virtualization/sandbox evasion capabilities. Scanning for malicious links and files is limited in Microsoft Teams and many third-party security solutions are not that great when it comes to Teams-specific protection.
Best Practices and Recommendations:
- Reach out to OIT when presented with an unfamiliar file or web link.
- Do not download/install any .exe received in Teams chat.
- Request any third-party support application be available by website instead.
If there are any concerns, questions, or problems please contact the Help Desk at 215-854-7067 or by email at [email protected]