A threat actor that has historically used a variety of malware strains and email-based phishing lures in its campaigns has now moved on to delivering lures through Microsoft Teams, potentially leading to ransomware deployments in compromised networks.
The activity is the work of a group that Microsoft calls Storm-0324, a developing threat group that has used a variety of known malware tools in the past, including IcedID, Gozi, Dridex, and others. Storm-0324 is closely associated with a ransomware group that Microsoft calls Sangria Tempest, and in many intrusions, Storm-0324 gains initial access to a target network and then hands off that access to the ransomware gang for further exploitation.
“Storm-0324 (DEV-0324), which overlaps with threat groups tracked by other researchers as TA543 and Sagrid, acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. Storm-0324’s tactics focus on highly evasive infection chains with payment and invoice lures,” MIcrosoft said in a new analysis.
“The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer and the Nymaim downloader and locker.”
In the past, Storm-0324 has used typical email phishing lures, usually with some financial theme. But more recently, the group has shifted to a newer tactic, sending malicious links to victims through Microsoft Teams. In those operations, the group uses a freely available tool called TeamsPhisher and directs victims to malicious external SharePoint files.
“TeamsPhisher is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. These Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization,” Microsoft said.
Other groups have targeted Microsoft Teams with this tactic recently, as well, including a group Microsoft refers to as Midnight Blizzard. That Russian-based group executed some separate social engineering campaigns against Teams users earlier this year.
Microsoft recommends that organizations using Teams deploy phishing-resistant MFA methods such as hardware security keys in order to mitigate the risk of this type of attack.