Warning! Storm-0324 Phishing Attack through Microsoft Teams

Microsoft has issued a warning about a fresh phishing campaign orchestrated by an initial access broker, with a unique twist involving using Microsoft Teams messages as bait to breach corporate networks.

Microsoft’s Threat Intelligence team is monitoring this campaign, known as Storm-0324.

Details about the campaign

Since July 2023, Storm-0324 has been observed distributing payloads through Microsoft Teams chats, a significant departure from the usual email-based infection methods.

What is Storm-0324?

Storm-0324 serves as a payload distributor in the cybercriminal landscape, offering a service to propagate various payloads using covert infection pathways. 

This includes downloaders, banking trojans, ransomware, and modular toolkits like Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader.

https://x.com/fray_glow/status/1226903819042410496?s=20

What was it like to be a cyber intruder?

Historically, this actor has 

• employed deceptive email messages, often centered around invoices and payments, to trick users into downloading ZIP archive files hosted on SharePoint. 
• distribute JSSLoader, a malware loader capable of profiling infected machines and delivering additional malicious payloads.
• employs highly evasive email chains, leveraging traffic distribution systems (TDS) like BlackTDS and Keitaro. These TDS systems provide the means to identify and filter traffic, tailoring it to evade detection by specific security solutions and redirect victims to malicious download sites.

https://x.com/VK_Intel/status/980671766875049985?s=20

Access gained, Destruction begins!

Once the malware gains access, it opens the door for the ransomware-as-a-service (RaaS) actor Sangria Tempest (also known as Carbon Spider, ELBRUS, and FIN7) to carry out post-exploitation actions and deploy file-encrypting malware.

https://x.com/NoumenonSec/status/1659454112696508416?s=20

As of July 2023, the phishing tactics of the group have evolved.

“Phishing lures are now sent via Microsoft Teams, with malicious links leading to SharePoint-hosted ZIP files. This is made possible through an open-source tool called TeamsPhisher, which exploits an issue first highlighted by JUMPSEC in June 2023.”

It’s worth noting that a similar technique was used by the Russian nation-state actor APT29 (also known as Midnight Blizzard) in May 2023, targeting approximately 40 organizations worldwide.

https://x.com/MsftSecIntel/status/1671579358031486991?s=20

Planning is the key to dealing with all cyber crimes

Microsoft has implemented multiple security enhancements to counter this threat and has taken action against identified accounts and tenants associated with fraudulent behaviour.

According to Microsoft’s guidance, identifying and mitigating Storm-0324’s activity can prevent more severe subsequent attacks, such as ransomware.

Endpoint security is crucial to defend against this threat. Besides that, employee training, 2FA and restriction on external sharing is also needed. Keep systems updated and patched.