Full Report
A new attack targeting Microsoft Teams users used vishing, remote access tools and DLL sideloading to deploy a JavaScript backdoor
Analysis Summary
# Tool/Technique: DLL Sideloading via TeamViewer in Vishing Campaign
## Overview
This summary details a sophisticated, multi-stage cyber attack combining **Vishing** (voice phishing) and **DLL Sideloading** techniques, observed by Ontinue’s Cyber Defence Centre (CDC). The primary goal is to achieve initial access, escalate privileges (implied via binary execution), establish persistence, and deploy a JavaScript-based Command and Control (C2) backdoor.
## Technical Details
- Type: Technique (DLL Sideloading, Vishing) / Attack Chain
- Platform: Primarily Windows (implied by the use of DLLs and Start-up folder persistence)
- Capabilities: Bypassing security controls using signed binaries, remote code execution, establishment of persistence, and C2 communication.
- First Seen: Not explicitly stated, but the current campaign was recently uncovered.
## MITRE ATT&CK Mapping
The observed steps map to several key techniques:
- **Initial Access (TA0001)**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Vishing leads to a delivery mechanism)
- **Execution (TA0002)**
- T1204 - User Execution
- T1204.002 - Malicious File (User likely executes the manipulated file or connects remotely)
- **Defense Evasion (TA0005)**
- T1574 - Hijack Execution Flow
- T1574.001 - DLL Search Order Hijacking (Specifically DLL Sideloading utilized here)
- **Persistence (TA0003)**
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (LNK file placement in Start-up folder)
- **Command and Control (TA0011)**
- T1071 - Application Layer Protocol (Implied by the C2 backdoor)
## Functionality
### Core Capabilities
- **Initial Lure:** Using Vishing (voice phishing) via Microsoft Teams to manipulate the victim.
- **Trusted Process Abuse:** Executing a legitimate, signed binary (`TeamViewer.exe`) to load a malicious DLL.
- **Backdoor Deployment:** Loading a malicious DLL (`TV.dll` implied) that commandeers the trusted process.
- **Persistence Mechanism:** Creating an LNK file in the system's Start-up folder to ensure execution upon reboot/login.
- **Remote Control:** Establishing C2 communication via a JavaScript-based backdoor.
### Advanced Features
- **Security Bypass:** Leveraging DLL Sideloading to load malicious code under the guise of a trusted, digitally signed application (TeamViewer), helping bypass some application control or signature-based checks.
- **Tool Chain Integration:** Combining social engineering (Vishing) with classic exploitation techniques (DLL Sideloading) and common remote access tools (Quick Assist, TeamViewer).
## Indicators of Compromise
*Note: No specific IOCs were provided in the article abstract, hence this section is based on the described techniques.*
- File Hashes: [N/A - Not provided in context]
- File Names: `TV.dll` (Malicious payload), LNK file in Start-up folder.
- Registry Keys: [N/A - Persistence mentioned via Start-up folder directly, not necessarily Registry Run Keys]
- Network Indicators: JavaScript-based C2 communication channel (Defanged example: `http://c2-domain[.]com/beacon`)
- Behavioral Indicators: A signed binary (e.g., `TeamViewer.exe`) attempting to locate and load a non-standard or specifically crafted DLL (`TV.dll`) from an untrusted location, especially preceding persistence artifact creation.
## Associated Threat Actors
- **Storm-1811:** Threat researchers noted similarities between this attack pattern (vishing, Quick Assist abuse) and previous campaigns attributed to this emerging threat group. Attribution is currently unconfirmed for this specific instance.
## Detection Methods
- Signature-based detection: Signatures for the malicious `TV.dll` payload (if available) and any known hash associated with the LNK file dropper.
- Behavioral detection: Monitoring signed binaries (`TeamViewer.exe`) loading unexpected or newly created DLLs in non-standard locations (DLL Sideloading detection). Monitoring the creation of LNK files in the Startup directory.
- YARA rules: Rules targeting known markers within the malicious DLL or the script used for C2 callback.
## Mitigation Strategies
- Prevention measures: Implementing strong application control policies that restrict which executables can load foreign DLLs, or only allow signed applications to launch from approved directories. Implementing robust email/message filtering to disrupt the initial phishing attempt.
- Hardening recommendations: Regularly auditing the Start-up folder for unexpected LNK files or shortcuts. Disabling or restricting the use of remote support tools like Quick Assist if not strictly required by policy.
## Related Tools/Techniques
- **Vishing:** The initial social engineering vector.
- **Quick Assist:** Mentioned as a tool used previously by similar threat actors, likely leveraged either during the pre-attack recon or as an alternative post-exploitation mechanism.
- **TeamViewer.exe:** The legitimate, signed binary used as the sideloading host.
- **DLL Sideloading (T1574.001):** The core technical execution technique.