Friday, November 1, 2024
HomeCyber Security NewsMicrosoft Teams as a Tool for Storm-0324 Threat Group to Hack Corporate...

Microsoft Teams as a Tool for Storm-0324 Threat Group to Hack Corporate Networks

Published on

Malware protection

According to recent reports, a threat actor known as Storm-0324 has been using email-based initial infection vectors to attack organizations.

However, as of July 2023, the threat actor has been found to have been using Microsoft Teams to send Phishing emails.

Once the threat actor gains access, they hand off the access to other threat actors who continue to further exploit the systems for sensitive information.

- Advertisement - SIEM as a Service

It has also been identified as working alongside the Sangria Tempest ransomware-as-a-service (RaaS) actor, distributing the JSSLoader malware and providing access to the Sangria threat group. 

The attack chain of Storm-0324 involves highly evasive infection chains using invoice and payment lures. Storm-0324 was also found to be distributing payloads from other threat actors through phishing and exploit kit vectors.

It is recommended that companies employ advanced email protection With Trusitifi Inbound Shield, which offers powerful multi-layered scanning technology.

Storm-0324, Sangria Tempest & JSSLoader

Storm-0324 and Sangria Tempest have been working together ever since 2019. Storm-0324 hands-off access to Sangria after delivering the first-stage malware payload, JSSLoader.

The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer, Nymaim downloader, and locker.

The delivery chain begins with a phishing email mentioning a payment or invoice and containing a link to a SharePoint site that hosts a ZIP archive.

The ZIP archive consists of a file with embedded JS code, resulting in the exploitation of the CVE-2023-21715 local security feature bypass vulnerability. When the file is opened, it launches the JS code, which drops a JSSLoader variant DLL. 

In some instances, users might also be asked to enter a security code or password before opening the document, adding an additional level of believability for the user. 

Source: Microsoft 
Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

New Teams-based phishing

As reported by Cyber Security News, Storm-0324 has been using TeamsPhisher, a publicly available tool for sending a Teams message with a malicious link pointing to a malicious SharePoint-hosted file. 

“We[Microsoft] have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders .” reads the report by Microsoft.

In such cases, Trustifi’s AI-powered email security helps you stay one step ahead of today’s malicious email-based threats. – .

Recommendations by Microsoft

As part of defending this threat actor, Microsoft has provided specific recommendations to its users, which are mentioned below,

Microsoft suggests that groups take the steps it gives to stop this threat actor from breaking into their network.

Keep informed about the latest cybersecurity news by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...