- This OnePlus 13 deal makes upgrading to the flagship Android a much easier decision for me
- Garmin wants you to pay for AI features and enhanced software updates - is it worth it?
- HellCat Ransomware: What You Need To Know
- I changed 12 Android phone settings to dramatically increase battery life (and why they work)
- Want free AI training from Microsoft? You can sign up for its AI Skills Fest now
New Phishing Attack Combines Vishing and DLL Sideloading Techniques
A new sophisticated phishing attack leveraging vishing, remote access tools and DLL sideloading has been uncovered by threat analysts.
The attack, observed by Ontinue’s Cyber Defence Centre (CDC) and discussed in an advisory published today, exploited Microsoft Teams and Quick Assist to gain initial access, ultimately deploying a JavaScript-based command-and-control (C2) backdoor.
Multi-Stage Attack Breakdown
The attack begins with a vishing scheme conducted through Teams, creating an opportunity for a signed binary to bypass security measures.
“The attacker sideloaded a malicious DLL that dynamically commandeered a trusted process, transforming routine remote support into a covert entry point,” explained Jason Soroko, senior fellow at Sectigo.
Once inside, the attackers executed a signed TeamViewer.exe file to sideload a malicious DLL, TV.dll. This allowed them to establish persistence by generating an LNK file in the Start-up folder and executing commands remotely via a JavaScript-based backdoor.
Threat researchers at Ontinue noted similarities between this attack and previous campaigns attributed to Storm-1811, a group known for using vishing and Quick Assist to infiltrate networks.
Though attribution remains unconfirmed, tactics such as abusing signed binaries, DLL sideloading and leveraging Background Intelligent Transfer Service (BITS) jobs for persistence align with known Storm-1811 methodologies.
Read more on Storm-1811: Windows Quick Assist Exploited in Ransomware Attacks
The Role of AI in Phishing Attacks
J Stephen Kowski, field CTO at SlashNext, highlighted the evolving nature of social engineering attacks.
“The latest Ontinue research on multi-stage attacks using vishing and Microsoft Teams demonstrates how threat actors are getting more creative with AI-powered voice cloning to trick users,” Kowski said.
“Real-time scanning across all communication channels, not just email, is essential since these attacks often start with social engineering before deploying malicious tools, such as sideloaded DLLs.”
Nicole Carignan, senior vice president at Darktrace, echoed Kowski’s views, highlighting the limitations of traditional security measures.
“Despite increased focus on email security, organizations and their employees continue to be plagued by successful phishing and vishing attempts,” Carignan noted.
“As the sophistication of phishing and vishing attacks continues to grow, organizations cannot rely on employees to be the last line of defense against these attacks.”
Defensive Measures Against Social Engineering
Security experts recommend a multi-layered approach to counter these threats.
Key defensive measures include:
- AI-powered tools for real-time environment visibility and alerting
- Monitoring messaging platforms for anomalous activities
- Securing remote access tools against unauthorized use
- Integrating machine-driven response systems for rapid mitigation
“Organizations must leverage AI-powered tools that can provide granular real-time environment visibility and alerting to augment security teams,” Carignan explained.
“Where appropriate, organizations should get ahead of new threats by integrating machine-driven response, either in autonomous or human-in-the-loop modes, to accelerate security team response.”
Image credit: DANIEL CONSTANTE / Shutterstock.com
