Sophos X-Ops has uncovered two distinct ransomware campaigns to infiltrate organizations via Microsoft Office 365 and Teams. Tracked as STAC5143 and STAC5777, these campaigns highlight the exploitation of email bombing, Microsoft Teams vishing, and legitimate Office 365 tools to deploy ransomware and steal sensitive data.
Sophos has linked STAC5143 to techniques used by FIN7, also known as Sangria Tempest or Carbon Spider, while STAC5777 shows overlap with Microsoft’s Storm-1811 threat group. Sophos notes, “Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users.”
The common attack pattern includes:
- Email Bombing: Victims receive up to 3,000 spam emails within an hour to create urgency and confusion.
- Teams Vishing: Threat actors impersonate IT support via Teams calls, requesting remote control access under the guise of resolving issues.
- Malware Deployment: Using remote tools like Microsoft Quick Assist and Teams screen sharing, attackers deliver malicious payloads, often via SharePoint links or Azure blob storage.
STAC5143 employs Java and Python-based malware, extracted from .zip files hosted on SharePoint. A Java Archive (JAR) file executes malicious code to establish control, evade detection, and sideload malware. Sophos highlights that “the attacker identified the process ID for javaw.exe using the Windows Management Instrumentation command line utility (WMIC.exe).[…] This was likely used along with PowerShell execution policy bypass to allow encoded commands to be executed and evade AMSI detection.”
The campaign’s Python payload includes obfuscated scripts resembling FIN7’s RPivot reverse proxy, facilitating command-and-control (C2) operations over Tor relays.
STAC5777 employs a more interactive approach, often guiding victims to install Microsoft Quick Assist. Once inside, attackers use hands-on-keyboard tactics to:
- Deploy Malware: Sophos found that attackers used OneDriveStandaloneUpdater.exe to sideload malicious DLLs, such as winhttp.dll, which gathers credentials, system information, and keystrokes.
- Lateral Movement: Using compromised credentials, attackers exploit RDP and Windows Remote Management to access additional systems.
- Evasion: Threat actors attempt to disable endpoint protections, but Sophos’ tamper protection thwarted such efforts.
Sophos has observed attackers attempting to deploy the Black Basta ransomware. However, endpoint defenses successfully intercepted these efforts. The campaigns, active since late 2024, have targeted various industries and smaller organizations often overlooked by ransomware groups.
Related Posts:
- Voice Phishing on Microsoft Teams Facilitates DarkGate Malware Attack
- FBI, CISA, NSA Warn of Iranian Cyberattacks on Critical Infrastructure
- FakeCall Malware: Sophisticated Vishing Attack Targets Mobile Users in Banking Fraud
