Sophos reveals two distinct ransomware campaigns, STAC5143 and STAC5777, leveraging Microsoft Teams to infiltrate organizations, steal data, and potentially deploy further malware. Both campaigns utilize malicious spam emails and impersonate IT support to trick victims into granting remote access, ultimately compromising their systems and exfiltrating sensitive information.
Two separate ransomware campaigns are exploiting Microsoft Teams to infect organizations and steal data, according to Sophos. The cybersecurity firm's managed detection and response (MDR) team initiated investigations into both campaigns in November and December 2023. Sophos refers to the two groups as STAC5143 and STAC5777 .
Both groups utilized their own Microsoft Office 365 service tenants for their attacks and took advantage of a default Teams configuration that permits external users to initiate meetings or chats with internal users.The first campaign, led by STAC5143, came to light in November when a customer reported receiving over 3,000 spam emails within a 45-minute period. Shortly after, the customer received a Microsoft Teams call from an account posing as a 'Help Desk Manager' outside their organization. The attacker instructed the employee to grant remote screen control access through Teams. This access allowed the attacker to open a command shell, deploy malicious files, and execute malware on the victim's machine.Specifically, one of the dropped files was a .jar archive containing Java code executed by the legitimate javaw.exe program. This code, operating silently, ran PowerShell commands and downloaded a 7zip archive and the 7zip utility. The unzipped archive contained a ProtonVPN executable and a malicious DLL (nethost.dll) side-loaded by the ProtonVPN executable. After launching ProtonVPN, the attackers connected to virtual private servers located in Russia, the Netherlands, and the US, triggering Sophos' endpoint protection tools. The Java code also performed reconnaissance, gathering information about the user's account and local network, and ultimately executed a Python-based backdoor to remotely control the Windows computer. This Python code included a lambda function for obfuscation, matching previously observed malware linked to FIN7.STAC5777's attacks, on the other hand, began with massive spam email campaigns followed by Teams messages claiming to be from the internal IT team. These messages requested a Teams call to address the spam issue. However, unlike STAC5143, STAC5777 relied more on direct, scripted commands executed by the attackers. In each instance, attackers guided victims through installing and executing Microsoft's Quick Assist remote access tool, granting them control of the victim's device. Once control was established, the attackers downloaded a payload containing a malicious DLL (winhttp.dll) that collected system, OS, and configuration details, along with stored credentials and keystrokes. They also downloaded unsigned .DLLs derived from an OpenSSL toolkit, which were then used by the legitimate Windows OneDriveStandaloneUpdater.exe process to establish encrypted command-and-control (C2) connections to remote hosts, including a virtual private server linked to infrastructure favored by Russia-based criminals. After establishing C2 communications, the OneDriveStandaloneUpdater.exe process was used to scan for Remote Desktop Protocol and Windows Remote Management (WinRM) hosts that could be accessed using the stolen credentials. The attackers then attempted to move laterally to other hosts. In one case, they utilized the backdoor to uninstall local multifactor authentication integration on the compromised device. Sophos also observed the attackers exfiltrating local files containing 'password' in the document name. Additionally, in one instance, blocked by Sophos' security protections, STAC5777 attempted to infect the machine with additional malware
Ransomware Microsoft Teams STAC5143 STAC5777 FIN7 Malware Phishing Remote Access
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Elon Musk launches shocking attack on Sir Keir Starmer over ‘failure’ to prosecute grooming gangs...Musk now worth more than Bezos & Zuckerberg COMBINED with nearly £500bn fortune…will he be world’s first TRILLIONAIRE?
Read more »
Grooming Gangs Still Plaguing UK TownsA survivor of childhood abuse in Telford, England, recounts her terrifying experience of being approached by a potential groomer and highlights the ongoing problem of sexual exploitation of young girls by organized gangs in the UK. The author criticizes the government's response to recent grooming scandals, demanding a public inquiry instead of leaving the investigation to local authorities.
Read more »
America turns on Starmer: PM attacked by Trump and Musk over net zero and grooming gangsSir Keir Starmer has been blasted by Donald Trump and Elon Musk over his energy strategy and his handling of grooming gangs, as the incoming US administration clashes with the British government.
Read more »
Albanian Cannabis Gangs Threaten Scottish CommunitiesAlbanian crime syndicates are profiting immensely from large-scale cannabis production in Scotland, posing a significant threat to public safety and stability. The Daily Record reveals the extent of the problem, highlighting recent cases and calls for increased vigilance from authorities.
Read more »
Atos Denies Direct Breach by Space Bears Ransomware GroupFrench tech giant Atos claims it wasn't directly breached by ransomware group Space Bears, but acknowledges that third-party infrastructure linked to Atos was compromised, containing data mentioning the company name.
Read more »
Albanian Cannabis Gangs Terrorize ScotlandThe Daily Record exposes the alarming influx of high-strength cannabis into Scotland by Albanian crime gangs, highlighting the significant profits they are making.
Read more »