Microsoft has issued a warning about a new phishing campaign known as Storm-0324 that uses Microsoft Teams messages to infiltrate corporate networks. This campaign, also referred to as TA543 and Sagrid, marks a shift away from email-based infection methods, using open-source tools and malicious links within Teams chats to distribute various payloads, including ransomware and trojans.
Furthermore, Storm-0324 operates as a payload distributor, offering services to propagate these payloads using evasive infection chains, such as downloaders, banking trojans, and modular toolkits like Nymaim and TrickBot. The malware‘s access provides a gateway for the ransomware-as-a-service actor Sangria Tempest to conduct post-exploitation actions and deploy file-encrypting malware.
In past attacks, Storm-0324 employed deceptive invoice- and payment-themed email messages to trick users into downloading ZIP archive files distributing malware like JSSLoader.
The actor behind Storm-0324 uses highly evasive techniques, including traffic distribution systems like BlackTDS and Keitaro, to evade detection and successfully redirect victims to malicious download sites. Microsoft has suspended accounts associated with fraudulent behavior and implemented security enhancements to mitigate this threat.
Additionally, in addition to the Storm-0324 warning, Kaspersky detailed the tactics, techniques, and procedures of the ransomware group known as Cuba, which employs a double extortion business model to attack companies globally.
Ransomware attacks have surged in 2023, with the U.K. National Cyber Security Centre and National Crime Agency emphasizing the importance of robust cybersecurity practices, as most ransomware incidents result from poor cyber hygiene and opportunistic initial access.
