Sophos Managed Detection and Response (MDR) has uncovered two distinct ransomware campaigns exploiting Microsoft Teams to gain unauthorized access to targeted organizations.
The threat actors, tracked as STAC5143 and STAC5777, are leveraging a default Microsoft Teams configuration that allows external users to initiate chats or meetings with internal users.
The attack methodology involves several types and approaches for more sophistication.
While besides this, Sophos researchers noted that the threat actors employ a multi-step approach:-
- Email Bombing: Targets are overwhelmed with up to 3,000 spam emails in under an hour.
- Social Engineering: Posing as IT support, attackers initiate Microsoft Teams calls to victims.
- Remote Access: Threat actors guide victims to install Microsoft Quick Assist or use Teams’ built-in remote control feature.
- Malware Deployment: Once in control, attackers execute malicious payloads.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Campaigns
STAC5143 Campaign: The STAC5143 campaign is a sophisticated cyber operation that employs a variety of tools and techniques to infiltrate and control target systems. At its core, the campaign leverages Java Archive (JAR) files alongside Python-based backdoors to establish a foothold on compromised machines.
One of its key components is the deployment of an obfuscated version of RPivot, a reverse SOCKS proxy tool that enables attackers to maintain stealthy access to the victim’s network.
To further evade detection, the campaign incorporates a lambda function for code obfuscation, a method reminiscent of those used by the notorious FIN7 cybercrime group. Finally, the STAC5143 operators establish connections to their C2 servers over port 80, likely in an attempt to blend in with normal HTTP traffic and bypass common security measures.
.webp)
STAC5777 Campaign: The STAC5777 Campaign is a sophisticated cyber attack that utilizes a combination of legitimate software and malicious components to infiltrate and persist within target systems.
It employs a malicious DLL named winhttp.dll, which is side-loaded by the legitimate Microsoft executable OneDriveStandaloneUpdater.exe. The campaign establishes command and control (C2) connections using unsigned OpenSSL toolkit drivers, enhancing its ability to evade detection.
To maintain persistence, the attackers modify the Windows registry, adding entries under “HKLM\SOFTWARE\TitanPlus” that specify C2 server addresses. Additionally, the campaign creates a service and a .lnk file to ensure it remains active on the compromised system. For lateral movement, STAC5777 conducts SMB scanning, allowing it to spread across networks.
In an attempt to disable security measures, the malware tries to uninstall security software and Multi-Factor Authentication (MFA) solutions, potentially leaving systems more vulnerable to further exploitation.
The malware used in these campaigns can do the following things:-
- Collect system and OS details
- Gather user credentials
- Log keystrokes using Windows API functions
- Perform network discovery and lateral movement
- Exfiltrate sensitive data
.webp)
In one instance, STAC5777 attempted to deploy Black Basta ransomware, which was blocked by Sophos endpoint protection.
Organizations should restrict Teams calls from external entities, limiting the use of remote access tools such as Quick Assist, and implementing application control settings to prevent unauthorized Quick Assist execution.
Not only that even they should leverage Microsoft Office 365 integration for improved security monitoring.
Sophos has deployed detections for the malware used in these campaigns, including ATK/RPivot-B, Python/Kryptic.IV, and Troj/Loader-DV.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
