Fake IT Support Calls on Microsoft Teams Deliver EtherRAT Malware

ยท
Listen to this article~6 min

Hackers are impersonating IT support on Microsoft Teams to trick employees into installing EtherRAT malware. Learn how this attack works and how to protect your organization.

Imagine you're at your desk, focused on a deadline, when a call comes in on Microsoft Teams. The caller ID shows it's from your company's IT department. They sound professional, even a bit rushed, saying they need to fix a security issue on your machine. You want to help. You want to be a good employee. So you follow their instructions. But here's the catch: that call is a lie. It's a hacker, not your IT guy. And by the time you realize it, you've just installed EtherRAT malware on your company's network. This isn't a hypothetical scenario. It's happening right now. Threat actors are abusing Microsoft Teams voice calls by impersonating corporate IT support staff. Their goal is to trick employees into installing EtherRAT, a remote access trojan that gives attackers a backdoor into corporate networks. Once inside, they can steal data, move laterally, or launch ransomware attacks. It's a sophisticated social engineering play that relies on trust and urgency. ### How the Attack Unfolds The attack starts with a simple phone call via Microsoft Teams. The attacker poses as a help desk technician and claims there's a critical security vulnerability on the employee's computer. They might say something like, "We've detected unusual activity on your account, and we need to install a patch immediately." The employee, wanting to be helpful, agrees to follow the steps. The attacker then guides the employee to download and run a file that looks legitimate but is actually the EtherRAT malware. This file could be disguised as a software update, a security tool, or even a PDF. Once executed, EtherRAT establishes a persistent connection to the attacker's command-and-control server, giving them full remote access to the compromised machine. ### Why This Attack Works This method is effective because it exploits human psychology, not technical vulnerabilities. Here are the key reasons why employees fall for it: - **Authority bias**: People tend to obey authority figures, especially in a corporate setting. When someone claims to be from IT, employees often comply without question. - **Urgency and fear**: The attacker creates a sense of urgency by saying the issue is critical and needs immediate action. This bypasses rational thinking. - **Familiar platform**: Microsoft Teams is a trusted tool used daily for legitimate communication. Seeing a call from within Teams makes it feel official. - **Lack of verification**: Most employees don't have a process for verifying IT support calls. They assume if it's on Teams, it's real. ### What Makes EtherRAT Dangerous EtherRAT is not your average malware. It's designed for stealth and persistence. Once installed, it can: - Record keystrokes and capture login credentials - Take screenshots and record audio from the microphone - Download additional malicious payloads - Disable security software to avoid detection - Spread across the network to infect other systems For businesses, a single EtherRAT infection can lead to data breaches, financial losses, and reputational damage. The average cost of a data breach in the United States is over $9 million, according to recent reports. So this is not a small threat. ### How to Protect Your Organization Preventing these attacks requires a combination of technology, training, and processes. Here are practical steps you can take: - **Implement a verification protocol**: Create a company policy that requires employees to verify IT support requests through a secondary channel, like a separate phone call or in-person visit. - **Train employees on social engineering**: Run regular phishing simulations and teach staff to recognize red flags, such as unsolicited calls asking for software installation. - **Restrict software installation**: Use group policies to prevent employees from installing software without administrator approval. - **Deploy endpoint detection and response (EDR)**: Tools like CrowdStrike or SentinelOne can detect and block EtherRAT before it executes. - **Enable multi-factor authentication (MFA)**: Even if credentials are stolen, MFA can prevent unauthorized access. > "The most secure system is only as strong as its weakest link, and often that link is the human sitting at the keyboard." โ€” A cybersecurity veteran ### Final Thoughts Social engineering attacks like this one are on the rise because they work. Hackers know that it's easier to trick a person than to break through a firewall. The key takeaway here is that no technology can fully protect you if your employees are not aware of these tactics. As a digital privacy strategist, I always tell my clients: trust but verify. If someone calls claiming to be from IT, hang up and call the IT department directly using a known number. It takes 30 seconds and could save your company millions. Stay safe out there. And remember, your IT team will never ask you to install software over the phone without a verified ticket number.