Storm-0324 Exploits MS Teams Chats to Facilitate Ransomware Attacks

KEY FINDINGS

• Storm-0324 is a financially motivated threat actor that has been facilitating ransomware deployment and allowing access to compromised networks/devices to other threat actors since 2019.

• Since July 2023, Storm-0324 has been exploiting MS Teams chats using an open-source tool to distribute payloads and send phishing lures to facilitate a particular cybercrime group, Sangria Tempest.

• The group’s attack chain starts with phishing emails referencing payments/invoices with a link to a SharePoint site hosting a ZIP archive. This archive contains a JavaScript code-embedded file.

• Storm-0324 has also been observed using protected documents to perform extended social engineering.

• Microsoft has suspended all identified accounts and tenants linked or exploited in this “fraudulent behavior.”

Microsoft Threat Intelligence Team has published a new report highlighting the activities of a notorious, financially motivated threat actor it tracks as Storm-0324 (TA543 and Sagrid). This group has been facilitating ransomware deployment and allowing access to compromised networks/devices to other threat actors since 2019.

However, since July 2023, it has been exploiting MS Teams chats using an open-source tool to distribute payloads and send phishing lures to facilitate a particular cybercrime group, Sangria Tempest (aka Elbrus, Carbon Spider, and FIN7).

It is worth noting that this activity has no connection with the Midnight Blizzard social engineering campaign detected in May 2023, which also involved exploiting MS Teams.

The group’s attack chain starts with phishing emails referencing payments/invoices with a link to a SharePoint site hosting a ZIP archive. This archive contains a JavaScript code-embedded file. In fact, this group use used several different files for hosting this code, such as Ekipa and WSF publisher files. For this purpose, it exploits the CVE-2023-21715 local security feature bypass vulnerability. The code, when launched, drops a JSSLoader variant DLL and additional Sangria Tempest tools.

Researchers have also observed Storm-0324 using protected documents to perform extended social engineering. Moreover, it adds the security code/password in the initial communication with the user with the lure document to create a sense of trust for the user and avoid analysis mechanisms.

Since July 2023, Storm-0324 has been exploiting MS Teams chats to send phishing lures with malicious links to that SharePoint-hosted file. The group relies on a TeamPhisher, a Python-based, open-source program that allows Teams tenant users to attach files to messages sent to external tenants. These phishing lures are identified as External users by the Teams platform.

Storm-0324 offers a distribution service to the payloads of other attackers using exploit kit or phishing vectors and focus mainly on highly evasive infection chains. This actor usually distributes the JSSLoader malware that encourages RaaS (ransomware-as-a-service) actor Sangria Tempest to gain initial access. Previously, Storm-0324 has used Gozi infostealer and the Nymaim downloader/locker, GrandCrab ransomware, IcedID infostealer, Gookit and Dridex banking trojan, and Sage ransomware.

“Sorm-0324 manages a malware distribution chain and has used exploit kit and email-based vectors to deliver malware payloads. The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic,” read Microsoft’s blog post on Storm-0324’s ransomware distribution tactics.

Storm-0324’s email themes use payments/invoice lures, mimicking legit services like Quickbooks, DocuSign, etc. The group has used different file formats to launch malicious JavaScript codes, including Windows Script File, Microsoft Office documents, and VBScript.

Microsoft has suspended all identified accounts and tenants linked or exploited in this “fraudulent behaviour.”

Mike Newman, CEO of My1Login, has reflected on the news, stating that this seems like a sophisticated phishing scam with the potential to claim many victims as they won’t doubt messages sent through the MS Teams platform.

“This is a sophisticated phishing scam that will catch out many victims because they will not realize criminals can hijack Microsoft Teams to carry out attacks. “People understand the techniques criminals can use to send phishing scams via email, but with Teams being seen as an internal communications platform, employees place more trust in the tool and are more likely to open and action documents they receive in chats.”

Newman stresses that organizations should educate employees on detecting phishing lures, avoiding sharing sensitive data by clicking on suspicious links, and implementing advanced Identity Management solutions to enhance data security and operational efficiency.

MS Teams has made headlines in the past for being a key target of malicious activities. Back in April 2020, CyberArk’s researchers detected a worm-like vulnerability in MS Teams, which they suspected could be exploited to hijack the entire roaster of Teams accounts of an organization simply by sending malicious GIFs or links to Teams users.

And news about Teams being exploited started pouring in. In February 2022, cloud email security solutions provider, Avanan reported discovering a campaign targeting Teams users with malware by exploiting its chat feature and attaching malicious documents in chat threads that dropped trojan when clicked.

KEY FINDINGS

1. Microsoft Office Most Exploited Software in Malware Attacks
2. Unpatched MS Exchange servers hit by cryptojacking malware
3. Malicious Office documents make up 43% of all malware downloads
4. TeamSpy malware targeting users through malicious TeamViewer app
5. ‘Zoom account suspended’ phishing scam aims at Office 365 credentials