Microsoft is warning of a new phishing campaign by an initial access broker that involves using Teams messages as a lure to infiltrate corporate networks.
The tech giant’s Threat Intelligence team is tracking the cluster under the name Storm-0324also known by the nicknames TA543 and Sagrid.
“Starting in July 2023, Storm-0324 was observed distributing payloads using an open source tool to send phishing lures via Microsoft Teams chats,” the company said. saidadding that this development marks a shift from using email-based initial infection vectors for initial access.
Storm-0324 operates in the cybercriminal economy as a distributor of payloads, providing a service enabling the propagation of miscellaneous payloads using evasive infection chains. This includes a mix of downloaders, banking Trojans, ransomware and modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab and JSSLoader.
Attack sequences staged by the actor in the past have used billing and payment-themed decoy emails to trick users into downloading ZIP archive files hosted on SharePoint and distributing them. JSS Loadera malware loader capable of profiling infected machines and loading additional payloads.
“Actor email chains are highly evasive and use traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic,” Microsoft said .
“This filtering capability allows attackers to evade detection of certain IP address ranges that could be security solutions, like malware sandboxes, while successfully redirecting victims to their download site malicious.”
The access offered by the malware paves the way for ransomware-as-a-service (RaaS) actor Sangria Tempest (aka Carbon Spider, ELBRUS and FIN7) to carry out post-exploitation actions and deploy encryption malware of files.
The modus operandi has since been revamped in July 2023: phishing lures are sent via Teams with malicious links leading to a malicious ZIP file hosted on SharePoint.
This is accomplished by leveraging an open source tool called TeamsPhisherwhich allows Teams tenant users to attach files to messages sent to external tenants by exploiting an issue that has been highlighted for the first time by JUMPSEC in June 2023.
It is worth noting that a similar technique was adopted by Russian state actor APT29 (aka Midnight Blizzard) in attacks targeting approximately 40 organizations worldwide in May 2023.
The company said it has made several security improvements to block the threat and has “suspended identified accounts and tenants associated with inauthentic or fraudulent behavior.”
“Since Storm-0324 provides access to other threat actors, identifying and remediating Storm-0324 activity can prevent subsequent, more dangerous attacks like ransomware,” Microsoft further emphasized.
The disclosure comes as Kaspersky detailed the tactics, techniques and procedures of the notorious ransomware group known as Cuba (aka COLDDRAW and Tropical Scorpius), as well as identifying a new moniker named V Is Vendetta which is suspected to have been used by a sub-group or a subsidiary. .
The group, like RaaS programs, uses the double extortion business model to attack numerous companies around the world and generate illicit profits.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
Entry routes involve exploiting ProxyLogon, ProxyShell, ZeroLogon, and security vulnerabilities in Veeam Backup & Replication software to deploy a custom backdoor dubbed BUGHATCH, which is then used to deliver Cobalt Strike and updated versions of BURNTCIGAR to terminate security software running on the host.
“The Cuban cybercriminal gang uses a vast arsenal of both publicly available and tailor-made tools, which it keeps up to date, as well as various techniques and methods, including quite dangerous methods, such as BYOVD,” said Kaspersky. said.
“Focusing on specific strains of ransomware can be confusing at best and unnecessary at worst,” the agencies said. said in a report released earlier this week. “Most ransomware incidents are not caused by sophisticated attack techniques; Initial access to victims is gained opportunistically, with success usually being the result of poor IT hygiene. »