Storm-0324 An Enabler of Ransomware

Category: Threat Actor Activity | Industry: Global | Source: Microsoft

In a recent report by Microsoft, the financially motivated threat actor known as Storm-0324 also tracked as DEV-0324, TA543, and Sagrid, has come into focus. This group has been active since at least 2016 and primarily targets organizations through email-based infection vectors with their latest campaigns disturbing lures through Microsoft Teams chats as of July 2023. Storm-0324 employs a highly evasive infection chain, leveraging traffic distribution systems like BlackTDS and Keitaro to avoid detection. They typically use deceptive themes such as invoices and payments to lure victims. Over the years, their distribution has included various first-stage payloads, including banking malware like IcedID, Trickbot, and Dridex, as well as ransomware like Sage and GandCrab. However, since 2019, Storm-0324 has mainly distributed JSSLoader, often handing off access to threat actors like Sangria Tempest aka FIN7 which can result in ransomware impact.