Microsoft warns about Storm-0324 malware distributed through Teams chats


  • Staff
The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats. This activity is not related to the Midnight Blizzard social engineering campaigns over Teams that we observed beginning in May 2023. Because Storm-0324 hands off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware.

Storm-0324 (DEV-0324), which overlaps with threat groups tracked by other researchers as TA543 and Sagrid, acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. Storm-0324’s tactics focus on highly evasive infection chains with payment and invoice lures. The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer and the Nymaim downloader and locker.

In this blog, we provide a comprehensive analysis of Storm-0324 activity, covering their established tools, tactics, and procedures (TTPs) as observed in past campaigns as well as their more recent attacks. To defend against this threat actor, Microsoft customers can use Microsoft 365 Defender to detect Storm-0324 activity and significantly limit the impact of these attacks on networks. Additionally, by using the principle of least privilege, building credential hygiene, and following the other recommendations we provide in this blog, administrators can limit the destructive impact of ransomware even if the attackers can gain initial access.
Click to expand...

Read more:
www.microsoft.com

Malware distributor Storm-0324 facilitates ransomware access | Microsoft Security Blog

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment...
www.microsoft.com www.microsoft.com
 

Attachments

  • Windows_Security.png
    Windows_Security.png
    6 KB · Views: 0
Click to expand...

My Computer

System One

  • OS
    Windows11 23H2 (OS Build 22631.2428)
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP HP ENVY TE01
    CPU
    2.90 gigahertz Intel Core i7-10700
    Motherboard
    Board: HP 8767 A (SMVB)
    Memory
    16214 Megabytes Usable Installed Memor
    Hard Drives
    1511.52 Gigabytes Usable Hard Drive Capacity
    1418.15 Gigabytes Hard Drive Free Space
    Keyboard
    Logitech wireless
    Mouse
    M 185 wireless
    Internet Speed
    12 ms Jitter 8 ms Download 10.5 Mbps Upload 1.7
    Browser
    Edge & FF
    Antivirus
    Windows Defender
You must log in or register to reply here.

Similar threads

  • Article
Update on Microsoft Actions Following Attack by Midnight Blizzard (NOBELIUM)
Replies
2
Views
796
antspants
antspants
  • Article
Midnight Blizzard: Microsoft Guidance for responders on nation-state attack
Replies
4
Views
2K
Steve C
Steve C
  • Article
Microsoft addresses App Installer abuse
2
Replies
23
Views
3K
neves
neves
  • Article
Microsoft Copilot for Security generally available on April 1, 2024
Replies
0
Views
563
Brink
Brink
  • Article
OneDrive security and mobile features now available for Microsoft 365 Basic subscribers
Replies
1
Views
342
TraderGary
TraderGary

Latest Support Threads

Latest Tutorials

Back
Top Bottom