Ransomware
Phishing
TeamPhisher
Explore Storm-0324 cyber threat tactics via Microsoft Teams phishing and stay pr...
Storm-0324, also known as DEV-0324, is a financially motivated threat group that has gained prominence for providing initial access to compromised networks. This group does not typically carry out the more damaging stages of intrusions, such as ransomware deployment, but instead specializes in gaining access and then selling that access to other malicious actors. Understanding and mitigating Storm-0324's activities is crucial because it can evade more destructive follow-on attacks.
This [Threat Research](https://www.secureblink.com/threat-research) analyzes the underlying aspects of this threat group and its involvement in Ransomware access broker stealing accounts via Microsoft Teams phishing. While this threat group has been on the radar for years, and their tactics have evolved over time, culminating in a recent shift towards using Microsoft Teams as a vector for phishing attacks. This research aims to dissect their techniques, tools, and procedures (TTPs) and provide insights into how to defend against them.
### Evolution of Storm-0324
Storm-0324 has a history dating back to at least 2016, when it was involved in distributing various malware payloads through different vectors. Over the years, they have employed a variety of first-stage payloads, including Nymaim, Gozi, [Trickbot](https://www.secureblink.com/cyber-security-news/trickbot-is-going-through-a-transformational-transition-into-a-new-malware), Gootkit, Dridex, Sage ransomware, GandCrab ransomware, IcedID, and others. These payloads served as initial entry points into compromised networks.
However, since 2019, Storm-0324 has primarily focused on distributing JSSLoader, a first-stage downloader that facilitates access for ransomware-as-a-service (RaaS) actors like Sangria Tempest, also known as ELBRUS, Carbon Spider, and FIN7. This tactic shift has been notable as it marks a collaboration with other cybercriminal groups.
### Email-Based Initial Infection Vectors
Storm-0324 primarily relies on email-based infection vectors to distribute its payloads. Their email chains are designed to be highly evasive and make use of traffic distribution systems (TDS) like BlackTDS and Keitaro. These TDS systems help identify and filter user traffic, allowing the attackers to evade detection by security solutions, including malware sandboxes, while still successfully redirecting victims to malicious download sites.
To lure victims into downloading malicious payloads, Storm-0324 typically employs themes related to invoices and payments, often mimicking popular services like DocuSign and Quickbooks. Once a user is enticed, they are redirected to a SharePoint-hosted compressed file containing JavaScript. The actors have used various file formats, including Microsoft Office documents, Windows Script Files (WSF), and VBScript, to execute the malicious code.
### Evolution to Microsoft Teams-Based Phishing
One significant [development](https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/) observed in Storm-0324's tactics according to Microsoft that an initial access broker known for working with ransomware groups has recently adopted to Microsoft Teams as a platform for
phishing attacks to breach corporate networks.
This shift was first noticed in July 2023, and it signifies an adaptation to the changing landscape of communication and collaboration tools.
#### TeamsPhisher Tool
To carry out these Teams-based phishing campaigns, Storm-0324 likely leverages a publicly available tool called [TeamsPhisher](https://github.com/Octoberfest7/TeamsPhisher). This Python-based tool enables users within a Teams tenant to attach files to messages sent to external tenants.
While TeamsPhisher can be used legitimately, threat actors abuse it to deliver phishing attachments. This technique allows the actors to bypass certain restrictions related to incoming files from external sources.
#### Phishing Lures in Teams Chats
In these Teams-based phishing campaigns, Storm-0324 sends malicious links to potential victims over Microsoft Teams chats. These links lead to SharePoint-hosted files designed to deliver the malicious payload. The attackers take advantage of the fact that when external access is enabled within an organization's settings, these phishing lures appear as messages from "EXTERNAL" users.
### Attack Chain Overview
To understand the attack chain employed by Storm-0324, let's break it down step by step:
#### 1. Phishing Email
Storm-0324 initiates its attack by sending phishing emails to potential victims. These emails typically reference invoices or payments and are carefully crafted to mimic legitimate services.
#### 2. SharePoint-Hosted Archive
The victim, enticed by the email, clicks on a link that leads to a SharePoint-hosted archive file. This archive usually contains a file with embedded JavaScript code.
#### 3. Malicious JavaScript
Upon opening the archive, the JavaScript code is executed. The actors have used various file formats for hosting the JavaScript, including WSF and Ekipa publisher files, often exploiting known vulnerabilities like [CVE-2023-21715](https://nvd.nist.gov/vuln/detail/CVE-2023-21715) for local security feature bypass.
#### 4. JSSLoader Payload
The JavaScript code drops a JSSLoader variant DLL onto the victim's system. JSSLoader is the first-stage downloader employed by Storm-0324.
#### 5. Handoff to Sangria Tempest
After successfully delivering the JSSLoader payload, Storm-0324 hands-off access to another cybercriminal group known as Sangria Tempest (also associated with FIN7). This collaboration enables the deployment of more damaging payloads, such as ransomware.
#### 6. Additional Social Engineering
In some cases, Storm-0324 employs protected documents with security codes or passwords in their initial communications to users. This tactic adds an extra layer of believability for users and is an anti-analysis measure.
### Recommendations for Defense
Now that we have dissected Storm-0324's attack tactics, it is crucial to understand how to defend against this threat actor. Here are recommendations for hardening networks against Storm-0324 attacks:
1. **Phishing-Resistant Authentication**: Implement phishing-resistant authentication methods for users.
2. **Conditional Access**: Use Conditional Access authentication strength to require phishing-resistant authentication for employees and external users accessing critical applications.
3. **Domain Allowlisting**: Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked for chat and meetings.
4. **Auditing**: Keep Microsoft 365 auditing enabled to investigate audit records when required.
5. **Access Settings**: Understand and select the best access settings for external collaboration in your organization.
6. **Credential Hygiene**: Educate users about social engineering and credential phishing attacks, emphasizing the importance of not entering MFA codes sent via unsolicited messages.
7. **User Caution in Microsoft Teams**: Educate Microsoft Teams users to verify 'External' tagging on communication attempts from external entities, be cautious about sharing sensitive information, and never share account information or authorize sign-in requests over chat.
8. **Suspicious Link Scanning**: Configure Microsoft Defender for Office 365 to recheck links on click, providing URL scanning and verification to protect against malicious links.
9. **Least Privilege**: Practice the principle of least privilege and maintain credential hygiene, avoiding using domain-wide, administrator-level service accounts.
10. **Cloud-Delivered Protection**: Turn on cloud-delivered protection and automatic sample submission in Microsoft Defender Antivirus to identify and stop new and unknown threats.
11. **Attack Surface Reduction**: Enable attack surface reduction rules in Microsoft Defender to prevent standard attack techniques.
### Detection Details
Microsoft provides several tools for detecting Storm-0324 activity:
- **Microsoft 365 Defender**: Detects various threat components, including TrojanSpy:MSIL/JSSLoader, Trojan:Win32/Gootkit, Trojan:Win32/IcedId, Trojan:Win64/IcedId, and Trojan:Win32/Trickbot.
- **Microsoft Defender Antivirus**: Identifies threat components as malware and provides protection against them.
- **Microsoft Defender for Endpoint**: Generates alerts related to Storm-0324 activity in the security center.
### Hunting Queries
For those using Microsoft 365 Defender, specific hunting queries can be employed to identify potential threats related to TeamsPhisher:
```markdown
let allowedSharepointDomain = pack_array(
'mysharepointname' //customize Sharepoint domain name and add more domains as needed for your query
);
//
let executable = pack_array(
'exe',
'dll',
'xll',
'msi',
'application'
);
let script = pack_array(
'ps1',
'py',
'vbs',
'bat'
);
let compressed = pack_array(
'rar',
'7z',
'zip',
'tar',
'gz'
);
//
let startTime = ago(1d);
let endTime = now();
DeviceFileEvents
| where Timestamp between (startTime..endTime)
| where ActionType =~ 'FileCreated'
| where InitiatingProcessFileName has 'teams.exe'
or InitiatingProcessParentFileName has 'teams.exe'
| where InitiatingProcessFileName !has 'update.exe'
and InitiatingProcessParentFileName !has 'update.exe'
| where FileOriginUrl has 'sharepoint'
and FileOriginReferrerUrl has_any ('sharepoint', 'teams.microsoft')
| extend fileExt = tolower(tostring(split(FileName,'.')[-1]))
| where fileExt in (executable)
or fileExt in (script)
or fileExt in (compressed)
| extend fileGroup = iff( fileExt in (executable),'executable','')
| extend fileGroup = iff( fileExt in (script),'script',fileGroup)
| extend fileGroup = iff( fileExt in (compressed),'compressed',fileGroup)
//
| extend sharePoint_domain = tostring(split(FileOriginUrl,'/')[2])
| where not (sharePoint_domain has_any (allowedSharepointDomain))
| project-reorder Timestamp, DeviceId, DeviceName, sharePoint_domain, FileName, FolderPath, SHA256, FileOriginUrl, FileOriginReferrerUrl
```
### Microsoft Sentinel
Microsoft Sentinel users can employ the TI Mapping analytics to match indicators mentioned in this research with data in their workspace. Additionally, Microsoft Sentinel offers detection and threat hunting content to detect post-exploitation activities related to Storm-0324.