Microsoft has issued a warning about a fresh phishing campaign orchestrated by an initial access broker, leveraging Teams messages as bait to infiltrate corporate networks. The tech giant’s Threat Intelligence team has identified this threat cluster as Storm-0324, which also goes by the aliases TA543 and Sagrid.
Since July 2023, Storm-0324 has been observed using an open-source tool to disseminate phishing lures via Microsoft Teams chats, marking a shift away from traditional email-based initial infection methods.
Storm-0324 operates as a payload distributor within the cybercriminal ecosystem, offering a service that facilitates the spread of various payloads through stealthy infection pathways. This repertoire includes downloaders, banking trojans, ransomware, and modular toolkits like Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader.
Historically, the threat actor behind Storm-0324 has employed decoy email messages with themes related to invoices and payments to trick users into downloading ZIP archive files hosted on SharePoint. These ZIP files contained JSSLoader, a malware loader capable of profiling infected systems and loading additional payloads.
These email chains have proven highly evasive, utilizing traffic distribution systems (TDS) such as BlackTDS and Keitaro to filter and customize user traffic. This filtering capability allows the attackers to bypass certain IP ranges, including those associated with security solutions like malware sandboxes, while successfully redirecting victims to their malicious download sites.
The malware’s access provides an opening for the ransomware-as-a-service (RaaS) actor known as Sangria Tempest (also identified as Carbon Spider, ELBRUS, and FIN7) to conduct post-exploitation activities and deploy file-encrypting malware.
As of July 2023, the phishing lures are delivered via Teams, featuring malicious links leading to a SharePoint-hosted ZIP file. This is accomplished through the use of an open-source tool named TeamsPhisher, which exploits an issue initially highlighted by JUMPSEC in June 2023.
It’s worth noting that a similar technique was employed by the Russian nation-state actor APT29 (also known as Midnight Blizzard) in attacks against approximately 40 organizations worldwide in May 2023.
Microsoft has taken steps to enhance security and block this threat, suspending accounts and tenants associated with fraudulent or inauthentic behavior. The company emphasizes that identifying and mitigating Storm-0324 activity can prevent more severe follow-up attacks, such as ransomware incidents.
In a related development, Kaspersky has detailed the tactics, techniques, and procedures employed by the notorious ransomware group known as Cuba (also referred to as COLDDRAW and Tropical Scorpius). Additionally, a new alias named “V Is Vendetta” has been attributed to a sub-group or affiliate of this cybercriminal gang.
Cuba, much like RaaS operations, employs the double extortion model to target numerous global companies and generate illegal profits. Their ingress routes involve exploiting vulnerabilities like ProxyLogon, ProxyShell, ZeroLogon, and security flaws in Veeam Backup & Replication software to deploy Cobalt Strike and a custom backdoor named BUGHATCH. This backdoor is then used to deliver updated versions of BURNTCIGAR, aiming to terminate security software on the host.
The Cuba cybercrime group utilizes a wide range of publicly available and custom-made tools, constantly updating their arsenal. Their methods encompass various techniques, including some that are highly dangerous, such as BYOVD.
Ransomware attacks have surged in 2023, with the U.K. National Cyber Security Centre (NCSC) and National Crime Agency (NCA) emphasizing the complex supply chain dependencies involved. The agencies have urged organizations to prioritize cyber hygiene to mitigate the risk of opportunistic attacks.