Better Security, Together

A sophisticated cybersecurity threat has emerged, combining social engineering via Microsoft Teams with a previously undocumented persistence technique. This attack campaign targets executives and high-privilege employees in various sectors, potentially leading to ransomware deployment. The attack represents a significant evolution in threat tactics, introducing the first observed case of TypeLib COM hijacking in the wild, making it particularly dangerous due to its ability to evade detection.

The attack begins with precisely timed phishing messages sent through Microsoft Teams, masquerading as IT support personnel. These messages specifically target executives during the post-lunch period when vigilance may be lower. After establishing trust, attackers leverage Windows Quick Assist to gain remote access, blending into legitimate IT workflows. The novel aspect of this attack is the TypeLib hijacking technique that modifies registry entries to download and execute malware whenever certain COM objects are accessed by Windows processes. The payload consists of heavily obfuscated JScript and PowerShell code that creates a unique beaconing URL based on the victim’s hard drive serial number, establishes command and control communication, and reports success to a Telegram bot. Evidence suggests the attackers may be Russian-speaking, with possible connections to groups known for distributing ransomware, though the specific attribution remains uncertain.

A complex phishing campaign demonstrates how attackers are using increasingly sophisticated methods to deliver malware. The campaign utilizes a multi-layered attack chain to distribute well-known malware including Agent Tesla, Remcos RAT, and XLoader. By combining various scripting languages, execution paths, and deceptive social engineering tactics, the attackers effectively evade detection systems and traditional security measures

The attack begins with phishing emails disguised as payment confirmations or order requests that contain malicious attachments. These attachments typically include a .7z file with a JavaScript Encoded (.jse) file designed to look like a legitimate document. When executed, this initial script downloads and launches a PowerShell script containing a Base64-encoded payload. From there, the infection chain branches into two possible paths: one using .NET-compiled executables that inject payloads into RegAsm.exe, and another using AutoIt-compiled droppers that inject shellcode into RegSvcs.exe. Both paths ultimately lead to the execution of information-stealing malware capable of harvesting credentials, clipboard data, and keystrokes. The campaign’s success relies not on heavy obfuscation but on its multi-layered approach, which helps it avoid detection by signature-based tools and traditional sandboxes.