Microsoft Alerts Corporations to Fresh Phishing Campaign via Teams Messages
Microsoft has issued a warning about a new phishing campaign called Storm-0324 (also known as TA543 and Sagrid) orchestrated by an initial access broker. This campaign diverges from traditional email-based methods by using Microsoft Teams messages as bait to infiltrate corporate networks.
Storm-0324 operates as a payload distributor in the cybercriminal realm, facilitating the spread of various malicious payloads through evasive infection chains. These payloads encompass downloaders, banking trojans, ransomware, and modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader.
In past attacks, the actor employed decoy email messages with invoice and payment themes to deceive users into downloading ZIP archive files hosted on SharePoint. These files distributed JSSLoader, a malware loader with the capability to profile infected machines and introduce additional malicious payloads.
The actor behind Storm-0324 employs highly evasive email chains and utilizes traffic distribution systems like BlackTDS and Keitaro. These systems help identify and filter user traffic, allowing attackers to avoid detection by specific IP ranges, such as malware sandboxes, while effectively redirecting victims to their malicious download sites.
This malware's access opens the door for the ransomware-as-a-service (RaaS) actor Sangria Tempest, also known as Carbon Spider, ELBRUS, and FIN7, to execute post-exploitation actions and deploy file-encrypting malware.
Source: https://thehackernews.com/2023/09/microsoft-warns-of-new-phishing.html