Fake IT support calls on Microsoft Teams push EtherRAT malware

by

Threat actors are using Microsoft Teams voice calls to pose as corporate IT support and trick employees into installing EtherRAT malware, a campaign that gives attackers initial access to company networks, according to a technical analysis from Palo Alto Networks Unit 42.

KEY FACTS

  • Lure The attack starts with an email that uses an Employee Survey theme and a malicious PDF.
  • Impersonation Victims then receive a Teams call from an external account posing as a system administrator.
  • Tools Attackers pushed HopToDesk and AnyDesk before delivering a malicious MSI installer.
  • Malware EtherRAT can run commands, move files, steal data and keep persistence.
  • Indicator Unit 42 found multiple installer versions on a distribution server, from v1 through v9.

The report says the Teams session showed an external unfamiliar label, indicating the caller was from another Microsoft 365 tenant. Audit logs showed the attacker used the [email protected][.]com account while posing as IT support.

After the victim granted remote control through Teams screen sharing, the attacker directed them to install legitimate remote-access tools and then downloaded v7.msi from camorreado[.]click. The installer acted as a loader, fetching a Node.js runtime, decrypting embedded payloads and launching EtherRAT.

EtherRAT is a cross-platform remote access trojan written in Node.js. It uses Ethereum smart contracts to locate its active command-and-control server, which can make disruption harder.

The disclosure said EtherRAT was previously used in state-sponsored attacks tied to the React2Shell vulnerability and has since been adopted by other threat actors. It also noted an open directory containing installer versions v1 through v9, which suggests the campaign is still being developed.

Microsoft has added warnings for external callers and chats in Teams, and last week introduced a policy that places suspected third-party bots into the meeting lobby until organizers approve them. The moves follow earlier helpdesk impersonation attacks that used Teams to spread backdoors and steal data.

WHY IT MATTERS

The campaign shows how a trusted business collaboration tool can be combined with phishing, voice calls and legitimate remote access software to reach corporate networks. It also highlights why security teams need controls for external contact, remote support requests and suspicious installers.