Microsoft has issued a warning regarding a new phishing campaign orchestrated by an initial access broker, which involves exploiting Microsoft Teams messages as bait to breach corporate networks. This campaign, dubbed Storm-0324 (also known as TA543 and Sagrid), marks a departure from the traditional email-based initial infection vectors.
Storm-0324 operates as a payload distributor facilitating various payloads through evasive infection chains. These payloads encompass downloaders, banking trojans, ransomware, and modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader.
The attacker has historically employed deceptive email chains with invoice- and payment-themed content to trick users into downloading ZIP archive files hosted on SharePoint, which distribute the JSSLoader malware.
These email chains are designed to be highly evasive, utilizing traffic distribution systems (TDS) like BlackTDS and Keitaro to evade detection by security solutions like malware sandboxes while redirecting victims to malicious download sites.
The access granted by this malware facilitates the activities of the ransomware-as-a-service (RaaS) actor, Sangria Tempest (also known as Carbon Spider, ELBRUS, and FIN7). Sangria Tempest can conduct post-exploitation actions and deploy file-encrypting malware.
As of July 2023, the phishing lures are now transmitted through Microsoft Teams, leading to malicious ZIP files hosted on SharePoint. This is achieved through the exploitation of an issue initially highlighted by JUMPSEC in June 2023, leveraging an open-source tool called TeamsPhisher.
It’s worth noting that a similar technique was employed by the Russian nation-state actor APT29 (aka Midnight Blizzard) in attacks targeting approximately 40 organizations worldwide in May 2023.
Microsoft has implemented security enhancements to mitigate this threat and has taken action by suspending accounts and tenants associated with fraudulent behavior.
This disclosure coincides with Kaspersky’s revelation of the tactics, techniques, and procedures employed by the ransomware group known as Cuba (aka COLDDRAW and Tropical Scorpius).
This group utilizes a double extortion business model and exploits vulnerabilities like ProxyLogon, ProxyShell, ZeroLogon, and security flaws in Veeam Backup & Replication software. They deploy a custom backdoor named BUGHATCH, which is used to deliver Cobalt Strike and updated versions of BURNTCIGAR to disable security software on the compromised host.
