Sophos Uncovers Sophisticated Ransomware Attacks Exploiting Microsoft Teams and Quick Assist

Listen to this Post

2025-01-22

In the ever-evolving landscape of cyber threats, Sophos researchers have recently uncovered two distinct clusters of ransomware activity, tracked as STAC5143 and STAC5777. These attacks, observed in November and December 2024, exploit Microsoft Teams and Quick Assist, leveraging social engineering and legitimate Microsoft tools to infiltrate victim systems. The findings reveal a concerning overlap with known threat actors and highlight the need for organizations to bolster their defenses against these sophisticated tactics.

As organizations increasingly rely on cloud-based collaboration tools like Microsoft Teams, cybercriminals are finding innovative ways to exploit these platforms for malicious purposes. Sophos’ investigation into STAC5143 and STAC5777 sheds light on how threat actors are using Microsoft’s own tools to bypass security measures, deploy malware, and execute ransomware attacks. This article delves into the tactics, techniques, and procedures (TTPs) employed by these clusters, their potential links to notorious threat groups, and actionable recommendations to mitigate such risks.

the Attacks

1. STAC5143 and STAC5777 Clusters: Sophos identified two distinct ransomware clusters, STAC5143 and STAC5777, responsible for over 15 incidents in the past three months, with half occurring in the last two weeks of December 2024.

2. Exploitation of Microsoft Teams: Both clusters exploited a default Teams setting that allows external users to contact internal users. Attackers posed as tech support or IT personnel, using Teams messages and calls to gain trust and initiate attacks.

3. STAC5143 Tactics: This cluster relies on Teams’ remote control capabilities and deploys Java-based tools to exploit systems. It extracts Python backdoors from ZIP files downloaded via SharePoint links, mimicking the playbook of the FIN7/Sangria Tempest/Carbon Spider threat actor.

4. STAC5777 Tactics: This group uses Microsoft Quick Assist and manual configuration changes to deploy malware. It combines a legitimate Microsoft updater with a malicious DLL to establish persistence, steal credentials, and discover network resources. In some cases, it deploys Black Basta ransomware.

5. Common Techniques: Both clusters employ email bombing (sending up to 3,000 spam emails in under an hour), social engineering via Teams, and Microsoft remote tools to install malware.

6. Attack Workflow:

– STAC5143 attacks begin with spam emails, followed by a Teams call from a fake “Help Desk Manager.” Attackers request remote screen control, drop malicious files, and execute PowerShell commands to deploy ProtonVPN and a malicious DLL.
– STAC5777 attacks also start with spam emails, followed by a Teams message from a fake IT support agent. Victims are guided to install Quick Assist, enabling attackers to download and deploy a malicious payload.

7. Payload Details: The payload includes a legitimate Microsoft-signed executable, unsigned OpenSSL DLLs, and a malicious DLL named winhttp.dll. This DLL collects system details, credentials, and keystrokes, while registry changes establish command-and-control connections.

8. Recommendations: Sophos advises organizations to restrict external Teams calls, limit the use of remote access tools like Quick Assist, and integrate Microsoft Office 365 with their security environment for monitoring. Employee awareness training is also critical to combat social engineering tactics.

What Undercode Say:

The Sophos report on STAC5143 and STAC5777 underscores a growing trend in cyberattacks: the weaponization of legitimate tools and platforms. By exploiting Microsoft Teams and Quick Assist, threat actors are bypassing traditional security measures and leveraging trusted applications to carry out their attacks. This approach not only increases the likelihood of success but also complicates detection and response efforts.

Key Insights:

1. Exploitation of Trusted Platforms: Microsoft Teams and Quick Assist are widely used in corporate environments, making them ideal targets for attackers. By impersonating IT support or help desk personnel, threat actors exploit the inherent trust users place in these platforms.

2. Blurring the Lines Between Legitimate and Malicious Activity: The use of legitimate Microsoft-signed executables alongside malicious DLLs highlights the challenge of distinguishing between safe and harmful files. This tactic, known as DLL side-loading, allows attackers to evade detection by traditional antivirus solutions.

3. Social Engineering at Its Core: Both clusters rely heavily on social engineering tactics, such as email bombing and fake Teams messages, to create a sense of urgency and manipulate victims into granting access. This emphasizes the need for comprehensive employee training that goes beyond standard anti-phishing protocols.

4. Overlap with Known Threat Actors: The TTPs of STAC5777 overlap with those of Storm-1811, a group previously identified by Microsoft. Similarly, STAC5143 mimics the playbook of FIN7/Sangria Tempest/Carbon Spider, suggesting potential links to these notorious threat actors. This overlap indicates a possible evolution or collaboration among cybercriminal groups.

5. Ransomware as the Endgame: The deployment of Black Basta ransomware by STAC5777 highlights the financial motivation behind these attacks. Ransomware remains a lucrative business for cybercriminals, and the use of advanced tactics ensures higher success rates.

Mitigation Strategies:

1. Restrict External Access: Organizations should limit external Teams calls to trusted partners and disable unnecessary remote access tools like Quick Assist unless explicitly required.

2. Enhance Monitoring: Integrating Microsoft Office 365 with security environments can help detect and block malicious inbound traffic from Teams or Outlook.

3. Employee Training: Regular training sessions should cover emerging threats, including social engineering tactics that exploit collaboration tools. Employees should be able to identify and report suspicious activity.

4. Application Control: Tools like Sophos’ endpoint protection can block unauthorized execution of remote access applications, reducing the attack surface.

5. Indicators of Compromise (IOCs): Organizations should monitor for the IOCs provided by Sophos to identify and respond to potential breaches.

The Bigger Picture:

The Sophos report serves as a stark reminder of the evolving nature of cyber threats. As organizations adopt new technologies, cybercriminals are quick to adapt, finding innovative ways to exploit vulnerabilities. The use of legitimate tools for malicious purposes blurs the line between safe and harmful activity, making it increasingly difficult for traditional security measures to keep up.

In this context, a proactive and layered security approach is essential. By combining technical controls, employee awareness, and continuous monitoring, organizations can better defend against these sophisticated attacks. The findings also highlight the importance of collaboration between cybersecurity vendors and organizations to stay ahead of emerging threats.

In conclusion, the STAC5143 and STAC5777 campaigns represent a significant escalation in the tactics used by ransomware operators. By exploiting trusted platforms and leveraging social engineering, these attacks demonstrate the need for a comprehensive and adaptive security strategy. As cybercriminals continue to innovate, organizations must remain vigilant, continuously updating their defenses to protect against the ever-changing threat landscape.

References:

Reported By: Securityaffairs.com
https://stackoverflow.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image