Unmasking Storm-0324: The Malware Distributor Fueling Ransomware Attacks
In the ongoing battle against cyber threats, a new adversary has emerged - Storm-0324. This financially motivated threat actor has gained notoriety for its role in facilitating ransomware attacks by distributing malware through email-based infection vectors. In this blog post, we will delve deep into Storm-0324's tactics, techniques, and procedures (TTPs), as well as the latest developments in its cyber activities.
Storm-0324: The Puppeteer Behind the Scenes
Storm-0324, also known as DEV-0324 and overlapping with other threat groups such as TA543 and Sagrid, plays a critical role in the cybercriminal economy. Unlike ransomware authors or hackers, Storm-0324 acts as a distributor, providing services to propagate the malware of other attackers through various channels, including phishing and exploit kit vectors. While this behind-the-scenes role may seem less glamorous, it is equally sinister in the grand scheme of cybercrime.
Malware Distribution and Infection Tactics
One of Storm-0324's distinctive features is its use of highly evasive infection chains. The actor leverages traffic distribution systems (TDS) like BlackTDS and Keitaro, which act as gatekeepers, allowing only selected traffic to reach their intended targets while avoiding detection. These TDS mechanisms act as a shield, protecting the actor from discovery by security solutions such as malware sandboxes.
Over the years, Storm-0324 has distributed a range of first-stage payloads, including Nymaim (a downloader and locker), Gozi version 3 (an infostealer), Trickbot (a modular malware platform), Gootkit (a banking trojan), Dridex (another banking trojan), Sage ransomware, GandCrab ransomware, and IcedID (an information-stealing malware). However, since 2019, Storm-0324 has primarily focused on distributing JSSLoader, setting the stage for the ransomware-as-a-service actor Sangria Tempest.
The Unholy Alliance: Storm-0324 and Sangria Tempest
Storm-0324's role doesn't end with the distribution of JSSLoader; it's just the beginning of a dark journey. Since at least 2019, Storm-0324 has been handing off access to another cybercrime group known as Sangria Tempest. Once the initial JSSLoader payload is delivered, Sangria Tempest takes over, unleashing its ransomware campaign. This partnership makes it clear that Storm-0324 is a key enabler of more destructive ransomware attacks.
New Teams-Based Phishing Activity
Adding a twist to their malicious activities, Storm-0324 ventured into Teams-based phishing in July 2023. This tactic involved sending phishing lures through Microsoft Teams chats, typically using a publicly available tool called TeamsPhisher. By abusing this tool, attackers send malicious links leading to SharePoint-hosted files. These phishing campaigns are identified as "EXTERNAL" users if external access is enabled in the organization.
In response to these threats, Microsoft has taken various measures to enhance its defense against Teams-based phishing campaigns, including the suspension of fraudulent accounts and tenants associated with these activities.
Defending Against Storm-0324 and Ransomware
To guard against the likes of Storm-0324 and the destructive ransomware attacks they facilitate, a multi-faceted defense strategy is essential:
1. Phishing-Resistant Authentication: Implement robust authentication methods that resist phishing attacks.
2. Conditional Access: Enforce strict authentication for critical applications.
3. Trusted Domains: Define which external domains are allowed or blocked for chat and meetings.
4. Audit and Monitoring: Keep auditing enabled for investigation purposes.
5. Device Security: Only allow known and secure devices.
6. User Education: Train users to recognize and avoid social engineering and phishing attacks.
7. Teams Vigilance: Educate Microsoft Teams users to verify 'EXTERNAL' tagging on communication attempts from external entities.
8. Endpoint Protection: Turn on cloud-delivered protection and automatic sample submission for rapid threat identification.
9. Least Privilege: Limit administrative privileges and maintain credential hygiene.
10. URL Scanning: Use URL scanning and rewriting tools to protect against malicious links.
Storm-0324 may operate in the shadows, but its actions have a profound impact on the cybersecurity landscape. By understanding their tactics and implementing proactive defenses, we can collectively work towards a safer digital environment. Cyber threats are evolving, and it's our duty to stay one step ahead to protect our networks and data. Stay vigilant and stay secure.
To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.