Microsoft Teams as a Tool for Storm-0324 Threat Group to Hack Corporate Networks

According to recent reports, a threat actor known as Storm-0324 has been using email-based initial infection vectors to attack organizations.

However, as of July 2023, the threat actor has been found to have been using Microsoft Teams to send Phishing emails.

Once the threat actor gains access, they hand off the access to other threat actors who continue to further exploit the systems for sensitive information.

It has also been identified as working alongside the Sangria Tempest ransomware-as-a-service (RaaS) actor, distributing the JSSLoader malware and providing access to the Sangria threat group. 

The attack chain of Storm-0324 involves highly evasive infection chains using invoice and payment lures. Storm-0324 was also found to be distributing payloads from other threat actors through phishing and exploit kit vectors.

It is recommended that companies employ advanced email protection With Trusitifi Inbound Shield, which offers powerful multi-layered scanning technology.

Storm-0324, Sangria Tempest & JSSLoader

Storm-0324 and Sangria Tempest have been working together ever since 2019. Storm-0324 hands-off access to Sangria after delivering the first-stage malware payload, JSSLoader.

The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer, Nymaim downloader, and locker.

The delivery chain begins with a phishing email mentioning a payment or invoice and containing a link to a SharePoint site that hosts a ZIP archive.

The ZIP archive consists of a file with embedded JS code, resulting in the exploitation of the CVE-2023-21715 local security feature bypass vulnerability. When the file is opened, it launches the JS code, which drops a JSSLoader variant DLL. 

In some instances, users might also be asked to enter a security code or password before opening the document, adding an additional level of believability for the user. 

Source: Microsoft
Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

New Teams-based phishing

As reported by Cyber Security News, Storm-0324 has been using TeamsPhisher, a publicly available tool for sending a Teams message with a malicious link pointing to a malicious SharePoint-hosted file. 

“We[Microsoft] have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders .” reads the report by Microsoft.

In such cases, Trustifi’s AI-powered email security helps you stay one step ahead of today’s malicious email-based threats. – .

Recommendations by Microsoft

As part of defending this threat actor, Microsoft has provided specific recommendations to its users, which are mentioned below,

Microsoft suggests that groups take the steps it gives to stop this threat actor from breaking into their network.

Keep informed about the latest cybersecurity news by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker forums…

2 days ago

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could allow…

2 days ago

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit PDF…

2 days ago

Windows 11 Privilege Escalation Vulnerability Lets Attackers Execute Code to Gain Access

Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which could…

2 days ago

NetWalker Ransomware Operator Sentenced to 20 Years in Prison

A Romanian man has been sentenced to 20 years in prison for his involvement in…

2 days ago

CISA Warns of BeyondTrust Privileged Remote Access Exploited in Wild

 The Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm over a critical vulnerability…

2 days ago