{"id":131531,"date":"2023-09-12T10:00:00","date_gmt":"2023-09-12T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=131531"},"modified":"2024-07-03T12:01:34","modified_gmt":"2024-07-03T19:01:34","slug":"malware-distributor-storm-0324-facilitates-ransomware-access","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/12\/malware-distributor-storm-0324-facilitates-ransomware-access\/","title":{"rendered":"Malware distributor Storm-0324 facilitates ransomware access"},"content":{"rendered":"\n

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats. This activity is not related to the Midnight Blizzard social engineering campaigns over Teams<\/a> that we observed beginning in May 2023. Because Storm-0324 hands off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware.<\/p>\n\n\n\n

Storm-0324 (DEV-0324), which overlaps with threat groups tracked by other researchers as TA543 and Sagrid, acts as a distributor in the cybercriminal economy<\/a>, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors.  Storm-0324\u2019s tactics focus on highly evasive infection chains with payment and invoice lures. The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest<\/a> (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer and the Nymaim downloader and locker.<\/p>\n\n\n\n

In this blog, we provide a comprehensive analysis of Storm-0324 activity, covering their established tools, tactics, and procedures (TTPs) as observed in past campaigns as well as their more recent attacks. To defend against this threat actor, Microsoft customers can use Microsoft 365 Defender to detect Storm-0324 activity and significantly limit the impact of these attacks on networks. Additionally, by using the principle of least privilege, building credential hygiene, and following the other recommendations we provide in this blog, administrators can limit the destructive impact of ransomware even if the attackers can gain initial access.<\/p>\n\n\n\n

Historical malware distribution activity<\/h2>\n\n\n\n

Storm-0324 manages a malware distribution chain and has used exploit kit and email-based vectors to deliver malware payloads. The actor\u2019s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic. This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site.<\/p>\n\n\n\n

Storm-0324\u2019s email themes typically reference invoices and payments, mimicking services such as DocuSign, Quickbooks, and others. Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload. Storm-0324 has used many file formats to launch the malicious JavaScript including Microsoft Office documents, Windows Script File (WSF), and VBScript, among others.<\/p>\n\n\n\n

Storm-0324 has distributed a range of first-stage payloads since at least 2016, including:<\/p>\n\n\n\n