Fake Microsoft Teams IT support calls used to push EtherRAT malware

Security researchers say attackers are abusing Microsoft Teams to impersonate helpdesk personnel and convince employees to give them remote access, leading to malware installation on victim machines.A...

Security researchers say attackers are abusing Microsoft Teams to impersonate helpdesk personnel and convince employees to give them remote access, leading to malware installation on victim machines.

According to Palo Alto Networks’ Unit 42, the campaign begins with a phishing email presented as an employee survey. That message is followed by a Teams call from a person claiming to be from IT support. During the call, the target is persuaded to accept a remote-control session and install legitimate remote administration tools such as HopToDesk or AnyDesk. In the final stage, the attacker downloads an MSI package that deploys EtherRAT, a remote access trojan.

Unit 42 researcher Brian Janower said logs from one case showed a session titled “System Administrator (External unfamiliar) | Microsoft Teams,” indicating the contact came from outside the organization and had no established trust relationship. Teams audit records also showed a cross-tenant one-on-one chat was initiated from an attacker-controlled account.

EtherRAT is a Node.js-based RAT that can run on Windows, Linux and macOS. Once installed, it gives an operator broad access to a compromised system, including the ability to execute commands, move files, steal information and preserve access over time.

The malware also uses an unusual method for locating its command-and-control infrastructure. Rather than relying entirely on fixed addresses, EtherRAT retrieves an active server location from an Ethereum smart contract, with a fallback domain available if the primary approach fails.

What defenders can look for

  • Unexpected Teams chats or calls from external accounts claiming to be IT staff
  • Requests to install remote support software during a helpdesk interaction
  • Files named beginning with CtrlVirtualCursorWin_*, which Teams may create during remote control sessions
  • MSI installers appearing after a remote support request

Researchers also found what appears to be an open directory holding EtherRAT samples labeled versions 1 through 9, with some files updated as recently as June 26. That suggests the operators behind the malware are still actively maintaining it.

The campaign is part of a broader trend of threat actors using collaboration tools to gain trust and bypass normal security awareness. In this case, Microsoft Teams is not being attacked directly at the start of the intrusion; instead, it is used as the social engineering channel that opens the door.