Microsoft is warning of a new phishing campaign undertaken by an initial access broker that involves using Teams messages as lures to infiltrate corporate networks.
The tech giant’s Threat Intelligence team is tracking the cluster under the name Storm-0324, which is also known by the monikers TA543 and Sagrid.
“Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats,” the company said, adding the development marks a shift from using email-based initial infection vectors for initial access.
Storm-0324 operates in the cybercriminal economy as a payload distributor, offering a service that allows for the propagation of various payloads using evasive infection chains. This includes a mix of downloaders, banking trojans, ransomware, and modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader.
Attack sequences mounted by the actor in the past have employed invoice- and payment-themed decoy email messages to trick users into downloading SharePoint-hosted ZIP archive files distributing JSSLoader, a malware loader capable of profiling infected machines and loading additional payloads.
“The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic,” Microsoft said.
“This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site.”
The access afforded by the malware paves the way for the ransomware-as-a-service (RaaS) actor Sangria Tempest (aka Carbon Spider, ELBRUS, and FIN7) to conduct post-exploitation actions and deploy file-encrypting malware.
The modus operandi has since received a facelift as of July 2023 wherein the phishing lures are sent over Teams with malicious links leading to a malicious ZIP file hosted on SharePoint.
This is accomplished by leveraging an open-source tool called TeamsPhisher, which enables Teams tenant users to attach files to messages sent to external tenants by exploiting an issue that was first highlighted by JUMPSEC in June 2023.
It’s worth noting that a similar technique was adopted by the Russian nation-state actor APT29 (aka Midnight Blizzard) in attacks targeting about 40 organizations globally in May 2023.
The company said it has made several security enhancements to block the threat and that it “suspended identified accounts and tenants associated with inauthentic or fraudulent behavior.”
“Because Storm-0324 hands off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware,” Microsoft further pointed out.
The disclosure comes as Kaspersky detailed the tactics, techniques and procedures of the notorious ransomware group known as Cuba (aka COLDDRAW and Tropical Scorpius), alongside identifying a new moniker named V Is Vendetta that’s suspected to have been used by a sub-group or affiliate.
The group, like RaaS schemes, employs the double extortion business model to attack numerous companies around the world and generate illicit profits.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats
Ingress routes entail the exploitation of ProxyLogon, ProxyShell, ZeroLogon, and security flaws in Veeam Backup & Replication software to deploy a custom backdoor dubbed BUGHATCH, which is then used to deliver Cobalt Strike and updated versions of BURNTCIGAR in order to terminate security software running on the host.
“The Cuba cybercrime gang employs an extensive arsenal of both publicly available and custom-made tools, which it keeps up to date, and various techniques and methods including fairly dangerous ones, such as BYOVD,” Kaspersky said.
“Focussing on specific ransomware strains can be confusing at best, and unhelpful at worst,” the agencies said in a report published earlier this week. “Most ransomware incidents are not due to sophisticated attack techniques; the initial accesses to victims are gained opportunistically, with success usually the result of poor cyber hygiene.”