Analysts discovered ongoing campaigns linked to two distinct Russian threat groups employing similar social engineering tactics to deliver ransomware. Analysts identified the campaigns while researching BeaverTail malware associated with a North Korean state-sponsored threat group. The cyberattack begins with “email bombing,” a technique in which a high volume of targeted spam messages are rapidly sent – as many as 3,000 in less than an hour –  causing the recipient to suspect they may be experiencing a cyberattack. Shortly after the email bombing begins, the target receives a call via Microsoft Teams from the threat actor impersonating IT support using an adversary-controlled Office 365 instance to appear legitimate. The threat actor offers assistance to remediate the issue, requesting that the target grant remote access to their system and may ask them to download a remote desktop protocol (RDP) tool. In the last three months, over 15 incidents have been reported, with seven occurring in the past two weeks.

The first group, tracked as STAC5143, displays tactics, techniques, and procedures (TTPs) similar to FIN7, though organizations targeted in this campaign are smaller than those typically victimized by FIN7. They trick employees into permitting remote control sessions through Teams, allowing them to access command shells and execute malware from external SharePoint.

The second group, identified as STAC5777, uses TTPs that overlap with Storm-1811 operations. They instruct targeted employees to download Microsoft’s Quick Assist tool. After gaining access, they deploy a legitimate Microsoft updater containing a malicious side-loading DLL that steals credentials and provides persistent access to the network. These attackers use RDP and Windows Remote Management to access other computers on the targeted network and, in one case, deployed the Black Basta ransomware. Both groups are believed to be part of ransomware and data theft extortion efforts.

Recommendations

• If contacted by the help desk, verify legitimacy by contacting the company’s IT department directly. Avoid clicking links, responding to, or acting on unsolicited text messages or emails.
• Evade downloading software at the request of unknown individuals, and refrain from divulging sensitive information.
• Use strong, unique passwords and enable multi-factor authentication (MFA) for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Keep systems up to date and apply patches after appropriate testing.
• Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
• Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from the information technology (IT) environments.
• Technical details, TTPs, and indicators of compromise (IOCs) can be found in the Sophos report.