Storm-0324, a financially motivated threat actor group, has been detected using Microsoft Teams to deliver phishing messages. The group has previously been accused of disseminating phishing emails to gain initial access to infected systems, using remote code execution techniques. Once they have established access, Storm-0324 often provides access to the well-known ransomware group Sangria Tempest (also known as FIN7, Carbon Spider).
The latest delivery technique utilized by Storm-0324 targets professionals who use Teams IM as their primary chat box. This approach allows the threat actors to communicate with external users and send luring phishing messages with attachments. These attachments, when opened, result in a ransom attack on the associated devices in the network.
During the phishing email period, Storm-0324 frequently sent phishing emails with invoicing themes, such as DocuSign and Quickbooks. The user would then be directed to a SharePoint site, where a malicious payload called JSSLoader is delivered through a compressed WSF file (Windows Script File)/JS. Storm-0324 has used various file formats in their attacks, including Windows Script Files, Microsoft Office Documents, and VBS.
Researchers have noted that Storm-0324 and Sangria Tempest have previously been associated with the distribution of the Gozi InfoStealer, Nymaim downloader, and locker. Now, Storm-0324 is distributing the JSSLoader before passing the buck to other ransomware groups. JSSLoader is a sophisticated backdoor created by the FIN7/Sagrid threat actor and is equipped with features such as anti-analysis, exfiltration capabilities, remote code execution, and persistence.
The payload of JSSLoader creates a unique ID for each target based on their serial number, domain name, and computer name. This ID is used to track down victims or targets. As a remote access trojan (RAT), JSSLoader gathers various data from the victim’s system in preparation for the next stage of execution. This includes logical drivers, hostname, username, domain name, system information (such as running processes and installed applications), and IP information.
Since 2019, JSSLoader has undergone constant changes, and its distribution mode has evolved. Researchers have discovered that Storm-0324 has adopted a new approach to Teams-based phishing attacks using GitHub scripts. This allows even script kiddies, inexperienced hackers, to participate in these attacks. By creating JSSLoader in C++, the threat actors have been able to evade detection and complicated analysis.
To protect against vulnerabilities, organizations are encouraged to use Patch Manager Plus, which can quickly patch over 850 third-party applications. Taking advantage of the free trial of Patch Manager Plus ensures 100% security by keeping all software up to date and protected against known vulnerabilities.
In conclusion, Storm-0324’s utilization of Microsoft Teams for phishing attacks highlights the evolving tactics employed by threat actor groups. By targeting professionals who rely on Teams for communication, the threat actors are able to exploit vulnerabilities and deliver ransomware attacks. It is crucial for organizations to remain vigilant and ensure their systems are properly protected and updated to mitigate these risks.