According to recent reports, a threat actor known as Storm-0324 has been using email-based initial infection vectors to attack organizations.
However, as of July 2023, the threat actor has been found to have been using Microsoft Teams to send Phishing emails.
Once the threat actor gains access, they hand off the access to other threat actors who continue to further exploit the systems for sensitive information.
It has also been identified as working alongside the Sangria Tempest ransomware-as-a-service (RaaS) actor, distributing the JSSLoader malware and providing access to the Sangria threat group.
The attack chain of Storm-0324 involves highly evasive infection chains using invoice and payment lures. Storm-0324 was also found to be distributing payloads from other threat actors through phishing and exploit kit vectors.
It is recommended that companies employ advanced email protection With Trusitifi Inbound Shield, which offers powerful multi-layered scanning technology.
Storm-0324, Sangria Tempest & JSSLoader
Storm-0324 and Sangria Tempest have been working together ever since 2019. Storm-0324 hands-off access to Sangria after delivering the first-stage malware payload, JSSLoader.
The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer, Nymaim downloader, and locker.
The delivery chain begins with a phishing email mentioning a payment or invoice and containing a link to a SharePoint site that hosts a ZIP archive.
The ZIP archive consists of a file with embedded JS code, resulting in the exploitation of the CVE-2023-21715 local security feature bypass vulnerability. When the file is opened, it launches the JS code, which drops a JSSLoader variant DLL.
In some instances, users might also be asked to enter a security code or password before opening the document, adding an additional level of believability for the user.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
New Teams-based phishing
As reported by Cyber Security News, Storm-0324 has been using TeamsPhisher, a publicly available tool for sending a Teams message with a malicious link pointing to a malicious SharePoint-hosted file.
“We[Microsoft] have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders .” reads the report by Microsoft.
In such cases, Trustifi’s AI-powered email security helps you stay one step ahead of today’s malicious email-based threats. – Request a Free Demo.
Recommendations by Microsoft
As part of defending this threat actor, Microsoft has provided specific recommendations to its users, which are mentioned below,
Microsoft suggests that groups take the steps it gives to stop this threat actor from breaking into their network.