Hackers are targeting Windows Quick Assist remote desktop features to deploy ransomware
Remote access tools such as Windows Quick Assist continue to be a key target for threat actors, with Microsoft issuing another warning about the risk of ransomware attacks
Hackers are targeting Windows Quick Assist features as part of a campaign to conduct ransomware attacks, Microsoft has warned in a new threat intelligence report.
Since mid-April 2024, the tech giant has observed the Storm-1811, a financially motivated threat actor, using social engineering tactics to trick users into granting them access to their device through Quick Assist.
Quick Assist is a remote access tool used to share access to Windows devices to troubleshoot technical issues, based on the remote desktop protocol (RDP).
Microsoft’s advisory warned the attack chain begins with an email-bombing attack, where the hackers sign up the target’s email to multiple email subscription services which flood their inbox with subscribed content.
The attackers then target the user with a voice phishing attack (vishing), in which they claim to be IT support from the affected company offering to help them fix their spam issue.
During the call, threat actors try to manipulate the victim into giving them access to their device through Quick Assist. Microsoft warned that the victim only needs to follow a few of the attacker’s instructions before they can execute code on the target device.
First the threat actor gets the user to open Quick Assist with the CTRL + Windows + Q keyboard shortcut, after which they are prompted to enter a security code provided by the attacker.
The user is then shown a dialog box asking for permission to share their screen, once accepted the threat actor can request control through the Quick Assist system.
If control is granted, the attacker gets to work deploying various malware strains to escalate their privileges on the system.
The attacker runs a script to download a batch of files, including remote monitoring and management tools (RMM) as well as the Qakbot malware, which is used to deliver other malicious payloads such as Cobalt strike.
After installing the initial tooling required for the attack, the threat actor can simply terminate the call and use the command line tool PsExec to deploy the Black Basta ransomware.
Black Basta is described as a ‘closed ransomware offering’, in contrast to frequently deployed ransomware as a service (RaaS) tool, and is distributed by a small number of threat actors.
Microsoft’s report noted the link between Black Basta ransomware attacks and the use of the Qakbot remote access trojan (RAT), advising organizations to look out for evidence of the malware in order to catch an attack in its early stages, before any ransomware is deployed.
“Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from Qakbot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat.”
In addition to exploiting Quick Assist to gain initial access, the attack chain leverages other RMM tools such as ScreenConnect and NetSupport Manager to establish persistence and move laterally on the network, as well as maintain control over the compromised device.
Windows Quick Assist attacks are just the tip of the iceberg
The security advisory from Microsoft follows a growing trend of attackers exploiting remote desktop access software to carry out attacks.
With the advent of hybrid working models, remote access tools have become pervasive across corporate networks, and their level of access makes them useful tools for attackers if they can successfully exploit them.
In February 2024, a Trend Micro report found two high severity vulnerabilities in ConnectWise’s ScreenConnect product were being actively exploited by threat actors in the wild.
Similarly, Huntress issued a report in January 2024 on another popular remote access tool, TeamViewer, that was being used in a ransomware campaign to breach devices and deploy the Surprise ransomware.
RELATED WHITEPAPER
It was unclear at the time whether the attackers were exploiting a vulnerability in the TeamViewer software to gain unauthorized access to the target devices, or whether they were able to legitimately access the system using stolen credentials.
In the case of Quick Assist, the attackers did not even need to leverage security flaws in the tool itself, but use it as it was intended for malicious purposes.
As a result, Microsoft recommends users consider blocking or uninstalling Quick Assist and other remote management tools if they are not being actively used in your environment.
-
OpenAI's 'Skills in Codex' service aims to supercharge agent efficiency for developersNews The Skills in Codex service will provide users with a package of handy instructions and scripts to tweak and fine-tune agents for specific tasks.
-
Cloud infrastructure spending hit $102.6 billion in Q3 2025News Hyperscalers are increasingly offering platform-level capabilities that support multi-model deployment and the reliable operation of AI agents
-
The Microsoft bug bounty program just got a big update — and even applies to third-party codeNews Microsoft is expanding its bug bounty program to cover all of its products, even those that haven't previously been covered by a bounty before and even third-party code.
-
Microsoft Teams is getting a new location tracking feature that lets bosses snoop on staff – research shows it could cause workforce pushbackNews A new location tracking feature in Microsoft Teams will make it easier to keep tabs on your colleague's activities – and for your boss to know exactly where you are.
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
