QuickAssist exploitation in cyber attacks

Cybercriminals have compromised corporate systems in under five minutes by exploiting social engineering and PowerShell scripting, as revealed by an investigation from NCC Group’s Digital Forensics and Incident Response (DFIR) team.

QuickAssist exploitation in cyber attacksQuickAssist exploitation in cyber attacks

QuickAssist Enables Rapid Access

The attackers impersonated internal IT support and contacted around twenty employees, successfully convincing two to grant remote access via QuickAssist.exe, a legitimate Windows remote assistance tool. Once inside, they quickly initiated an attack chain.

QuickAssist exploitation in cyber attacksQuickAssist exploitation in cyber attacks

Within 300 seconds, the attackers executed a PowerShell command to manipulate the clipboard, setting the stage for downloading malicious tools hidden within a JPEG file. The payload was decrypted using a four-byte XOR key to reconstruct a ZIP archive containing components of NetSupport Manager disguised as “NetHealthsoftware.