geVExMIF UV VaZ zbhcTO wwEV

Hunting ModeloRAT: How Attackers are Hijacking Teams for High-Trust Social Engineering

Cybersecurity researchers have identified a sophisticated shift in the delivery tactics used by threat actors to deploy ModeloRAT. Rather than relying solely on traditional web-based lures like malicious browser extensions or fake CAPTCHA pages, attackers are now hijacking legitimate Microsoft Teams accounts to facilitate high-trust social engineering attacks within corporate environments.

This evolution marks a transition from the “CrashFix” style browser-based operations to an in-app conversational attack vector. By impersonating internal IT support staff, attackers message employees directly through the Teams client. These messages typically claim an urgent issue requires immediate attention regarding the user’s device or account credentials, leveraging the inherent trust users place in their primary enterprise communication tool.

Technical Analysis of the Infection Chain

The attack lifecycle begins when an unsuspecting user is convinced by the “helpdesk” persona to execute a seemingly innocuous “diagnostic” PowerShell command provided in the chat window. This command serves as an obfuscated first-stage loader designed to bypass initial scrutiny.

Upon execution, the PowerShell script performs the following sequence of operations:

  • Payload Staging: The script writes a ZIP archive directly to the user’s profile within the %APPDATA% directory and proceeds to unpack it silently.
  • Environment Mimicry: The archive contains a fully portable WinPython environment, specifically nested under %APPDATA%\WPy64-31401. This mirrors previous KongTuke activity chains that utilized Dropbox-hosted archives to stage portable Python environments.
  • Stealth Execution: To avoid alerting the user, PowerShell invokes pythonw.exe from the newly extracted directory. The use of pythonw.exe (the windowless version of the Python interpreter) ensures that no command console window appears on the desktop during the infection process.

Modular Malware Architecture: Reconnaissance and C2

A significant technical departure from earlier iterations is the shift toward a modular architecture. Instead of a monolithic script, the ModeloRAT deployment now splits its workload into two specialized components:

1. The Reconnaissance Module: This component performs deep host enumeration. It gathers granular data including domain membership, active processes, running services, and complex network configurations. This data is structured into JSON format to facilitate efficient exfiltration, a behavior consistent with ModeloRAT’s previous activity on domain-joined assets.

2. The Command-and-Control (C2) Module: This module establishes outbound communication to the attacker’s infrastructure. Notably, the attackers are utilizing hard-coded IP addresses rather than domain names. This is a calculated move to evade DNS-based reputation filtering and domain blocking. The following IP addresses have been identified as active C2 endpoints:

  • 45[.]61[.]136[.]94
  • 64[.]95[.]10[.]14
  • 64[.]95[.]12[.]238
  • 64[.]95[.]13[.]76
  • 162[.]33[.]179[.]149

Evasion and Persistence Mechanisms

One of the most concerning aspects of this campaign is its efficacy against modern security stacks. During recent analysis, the ModeloRAT variant demonstrated an ability to execute without triggering alerts from several major Endpoint Detection and Response (EDR) products. Furthermore, samples showed zero hits on VirusTotal, highlighting the effectiveness of the threat actor’s multi-layer obfuscation and adaptive beaconing techniques.

Persistence strategies have also become more resilient. While the malware still utilizes the traditional HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key—often masked as a benign software entry—it now supplements this with the creation of scheduled tasks. These tasks use randomly generated names, creating a multi-pronged persistence mechanism that makes remediation more difficult for IT administrators.

Defensive Recommendations and Hunting Strategies

To mitigate the risk posed by this Teams-based delivery vector, security teams should implement the following controls:

  • Restrict External Teams Access: Tighten Microsoft Teams external access policies. Implement alerts for chat requests originating from unknown tenants, specifically those mimicking internal IT or support personas.
  • Monitor Cloud Staging: Monitor and alert on suspicious downloads from cloud storage providers like Dropbox, particularly when they result in the extraction of archives in user-writable directories.
  • Endpoint Hunting:
    • Hunt for ZIP file extraction activity within %APPDATA% that results in the creation of WPy64-31401 or similar Python directories.
    • Baseline legitimate pythonw.exe usage. Any execution of this binary from AppData\Local or AppData\Roaming should be treated as a high-fidelity indicator of compromise.
  • Registry and Task Auditing: Continuously audit Run keys and scheduled task registrations for entries pointing to Python binaries in non-standard, user-writable paths.

Related Articles

Back to top button