Friday, April 4, 2025
HomeComputer SecurityHackers Abuse Microsoft Teams Updater to Install Malware Using Living off the...

Hackers Abuse Microsoft Teams Updater to Install Malware Using Living off the Land Technique

Published on

SIEM as a Service

Follow Us on Google News

A new flaw with Microsoft Teams Updater allows attackers to install and run malware from a remote location Using Living off the Land Technique.

The issue was first disclosed last year and it relies on using the ‘update’ command to run the arbitrary binary code with the context of the current user.

Microsoft Teams Updater Flaw

The flaw discovered earlier by reverse engineer Reegun Richard in 2019, he revisited the problem this year with the solution implemented by Microsoft.

“The patch previously provided for Teams was to restrict its ability to update via a URL. Instead, the updater allows local connections via a share or local folder for product updates” – Reegun Jayapaul from Trustwave said.

He found that the patch can be easily bypassed by pointing to a remote SMB share and it can be used for lateral movement.

With the last patch of the Microsoft Teams update it allows only local network paths \server\ to access and update and blocks the “http/s”, “:”, “/” and port numbers in the updater URL.

How an Attacker can Exploit this

Attackers need to place the file inside the network in an open shared folder. Then the attackers need to access the payload from that share to the victim machine.

Attackers also can exploit the bug remotely by setting up a Samba server for remote public access, and by initiating the command execution a payload can be downloaded remotely and executed directly from Microsoft Teams Updater “Update.exe”.

Steps to create payload, requirements and technical details can be found here, Trustwave has reported the issue to Microsoft.

Microsoft said that “Thank you again for submitting this issue to Microsoft. We determined that this behavior is considered to be by design as “we cannot restrict SMB source for –update because we have customers that rely on this (e.g. folder redirection).”

Trustwave recommends SMB connections especially from the Microsoft Teams updater update.exe or filters SMB connections entirely.

A lot of businesses have transitioned to a remote workforce due to the current health crisis. To protect your business and your remote teams here are some of the best practices.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

Hackers Hijack Microsoft Teams Accounts Using a Single Weaponized GIF Image

Beware of Fake Microsoft Teams Notifications Aimed to Steal Employees Passwords

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing...

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of...

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM)...

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing...

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of...

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM)...