Microsoft Revokes Fake Certificates Used in Teams Malware Attack
Microsoft has revoked over 200 fraudulent code-signing certificates used in a ransomware campaign involving fake Teams installers by the threat group Vanilla Tempest.
Microsoft Threat Intelligence identified the campaign, dubbed Vanilla Tempest, in late September, which was used to deliver a backdoor and malware through fake MS Teams set-up files.
- The threat actor is financially motivated and focuses on deploying ransomware and exfiltrating data for extortion.
- Fake Teams set-up files were used to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware.
- Other ransomware variants, including BlackCat, Quantum Locker, and Zeppelin, have been used by the threat actor.
The campaign saw attackers leverage SEO poisoning and malvertising techniques to trick users into downloading fake MSTeamsSetup.exe files that deliver the Oyster backdoor.
No comment on this issue.
Author summary: Microsoft revokes 200+ fake certificates.