Fake Microsoft Teams IT Support Calls Push EtherRAT Malware


Microsoft Teams EtherRAT Malware
Image credit: Microsoft

Threat actors are abusing Microsoft Teams voice calls to impersonate corporate IT support and trick employees into giving them remote access to company devices.

Palo Alto Networks’ Unit 42 reported the campaign, which combines phishing emails, Teams calls, legitimate remote access tools, and a Node.js-based malware loader. The final payload is EtherRAT, a cross-platform remote access trojan that can give attackers control over compromised systems.

The Attack Starts With an Employee Survey Phishing Email

The campaign begins with a phishing email that uses an Employee Survey theme.

The email includes a malicious PDF attachment. After the victim opens the document, the attackers follow up with a Microsoft Teams voice call from an external account.

The caller pretends to be a System Administrator and tries to convince the employee that they need technical support.

Attackers Abuse Microsoft Teams Screen Sharing

The Teams call displays the “External unfamiliar” label, which means the caller comes from outside the victim’s Microsoft 365 tenant.

Even with that warning visible, the attacker tries to build trust and convince the victim to grant remote control through Teams’ built-in screen-sharing feature.

Once the victim allows access, the attacker can interact with the system directly.

HopToDesk and AnyDesk Help Attackers Keep Access

After gaining control through Teams, the attacker guides the victim into installing legitimate remote access tools.

Unit 42 said the campaign used HopToDesk and AnyDesk. These tools have legitimate business uses, but attackers often abuse them because they provide hands-on control without immediately looking like malware.

This step helps the attacker maintain access even after the initial Teams session ends.

EtherRAT Is Delivered Through a Malicious MSI Installer

The attacker then downloads and runs a malicious MSI installer on the victim’s system.

That installer works as a malware loader and eventually launches EtherRAT. EtherRAT is a Node.js-based remote access trojan designed to work across platforms.

Once active, it can allow attackers to execute commands, manipulate files, steal data, and maintain persistence on compromised machines.

EtherRAT Uses Ethereum Smart Contracts for Command and Control

EtherRAT uses Ethereum smart contracts to retrieve its active command-and-control server.

This technique makes the malware harder to disrupt because defenders cannot simply take down one obvious server and stop the operation. The malware can look up updated infrastructure through the blockchain-based mechanism.

Unit 42 also found multiple versions of the malware installer, which suggests the campaign remains under active development.

Microsoft Teams Attacks Continue to Evolve

The campaign shows how attackers are shifting from basic phishing links to more interactive social engineering.

By using Microsoft Teams voice calls, external accounts, screen sharing, and trusted remote access tools, attackers can make the intrusion look like a normal IT support session.

Microsoft is already working on features that warn users about brand impersonation, but this campaign shows that employee awareness still matters. Users should treat unexpected external Teams calls with caution, especially when the caller requests screen control or asks them to install remote access tools.

In other security news, threat actors are also abusing OAuth flows in phishing attacks, while researchers have discovered an ARToken phishing platform.

Via BleepingComputer

More about the topics: malware, microsoft, Microsoft Teams

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages