In the ongoing battle against cyber threats, a new adversary has emerged - Storm-0324. This financially motivated threat actor has gained notoriety for its role in facilitating ransomware attacks by distributing malware through email-based infection vectors. In this blog post, we will delve deep into Storm-0324's tactics, techniques, and procedures (TTPs), as well as the latest developments in its cyber activities.

Storm-0324: The Puppeteer Behind the Scenes

Storm-0324, also known as DEV-0324 and overlapping with other threat groups such as TA543 and Sagrid, plays a critical role in the cybercriminal economy. Unlike ransomware authors or hackers, Storm-0324 acts as a distributor, providing services to propagate the malware of other attackers through various channels, including phishing and exploit kit vectors. While this behind-the-scenes role may seem less glamorous, it is equally sinister in the grand scheme of cybercrime.

Malware Distribution and Infection Tactics

One of Storm-0324's distinctive features is its use of highly evasive infection chains. The actor leverages traffic distribution systems (TDS) like BlackTDS and Keitaro, which act as gatekeepers, allowing only selected traffic to reach their intended targets while avoiding detection. These TDS mechanisms act as a shield, protecting the actor from discovery by security solutions such as malware sandboxes.

Storm-0324's phishing emails are meticulously crafted, often posing as invoices or payment notifications, mimicking the branding of popular services like DocuSign and Quickbooks. When recipients engage with these deceptive emails, they are directed to SharePoint-hosted files containing JavaScript code. The malicious payload is then delivered via various file formats, including Microsoft Office documents, Windows Script Files (WSF), and VBScript.

Over the years, Storm-0324 has distributed a range of first-stage payloads, including Nymaim (a downloader and locker), Gozi version 3 (an infostealer), Trickbot (a modular malware platform), Gootkit (a banking trojan), Dridex (another banking trojan), Sage ransomware, GandCrab ransomware, and IcedID (an information-stealing malware). However, since 2019, Storm-0324 has primarily focused on distributing JSSLoader, setting the stage for the ransomware-as-a-service actor Sangria Tempest.

The Unholy Alliance: Storm-0324 and Sangria Tempest

Storm-0324's role doesn't end with the distribution of JSSLoader; it's just the beginning of a dark journey. Since at least 2019, Storm-0324 has been handing off access to another cybercrime group known as Sangria Tempest. Once the initial JSSLoader payload is delivered, Sangria Tempest takes over, unleashing its ransomware campaign. This partnership makes it clear that Storm-0324 is a key enabler of more destructive ransomware attacks.

New Teams-Based Phishing Activity

Adding a twist to their malicious activities, Storm-0324 ventured into Teams-based phishing in July 2023. This tactic involved sending phishing lures through Microsoft Teams chats, typically using a publicly available tool called TeamsPhisher. By abusing this tool, attackers send malicious links leading to SharePoint-hosted files. These phishing campaigns are identified as "EXTERNAL" users if external access is enabled in the organization.

In response to these threats, Microsoft has taken various measures to enhance its defense against Teams-based phishing campaigns, including the suspension of fraudulent accounts and tenants associated with these activities.

Defending Against Storm-0324 and Ransomware

To guard against the likes of Storm-0324 and the destructive ransomware attacks they facilitate, a multi-faceted defense strategy is essential:

1. Phishing-Resistant Authentication: Implement robust authentication methods that resist phishing attacks.

2. Conditional Access: Enforce strict authentication for critical applications.

3. Trusted Domains: Define which external domains are allowed or blocked for chat and meetings.

4. Audit and Monitoring: Keep auditing enabled for investigation purposes.

5. Device Security: Only allow known and secure devices.

6. User Education: Train users to recognize and avoid social engineering and phishing attacks.

7. Teams Vigilance: Educate Microsoft Teams users to verify 'EXTERNAL' tagging on communication attempts from external entities.

8. Endpoint Protection: Turn on cloud-delivered protection and automatic sample submission for rapid threat identification.

9. Least Privilege: Limit administrative privileges and maintain credential hygiene.

10. URL Scanning: Use URL scanning and rewriting tools to protect against malicious links.

Storm-0324 may operate in the shadows, but its actions have a profound impact on the cybersecurity landscape. By understanding their tactics and implementing proactive defenses, we can collectively work towards a safer digital environment. Cyber threats are evolving, and it's our duty to stay one step ahead to protect our networks and data. Stay vigilant and stay secure.

To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.