Threat Clusters STAC5143 and STAC5777 Exploit Email Bombarding and Microsoft Remote Tools

Clusters of threat activity observed in November and December 2024 revealed threat actors leveraging similar tactics, abusing Microsoft Office 365 infrastructure, and employing social engineering to compromise targeted organizations. These clusters tracked as STAC5143 and STAC5777, were detailed in reporting by Sophos X-Ops’ Managed Detection and Response (MDR) team. While there were notable distinctions between the two groups, both exploited Microsoft Office 365 tenants and default Teams configurations to infiltrate organizations. Their methods combined email bombing with the abuse of remote access tools to create opportunities for engagement under the guise of IT support through Teams messages or calls. Despite varying methodologies, both groups relied heavily on Windows native tools, particularly those with remote access capabilities. Sophos noted observing "more than 15 incidents involving these tactics in the past three months, with half of them in the past two weeks."

STAC5143 stands out with Sophos assessing "medium confidence" in a connection to the FIN7 (also known as Carbon Spider or Sangria Tempest) threat group, based on the Python malware deployed during the final stage of their intrusion. Email bombing and Teams messages provided an entry point for their operations, with one attack involving "3,000 emails in a 45-minute period." Under this pressure, attackers impersonated IT support via a Teams account named “Help Desk Manager,” initiating remote screen-sharing sessions to drop files. These files, sourced from an external SharePoint file store, included a JAR file executed using the Java runtime. Reconnaissance followed using WMIC to obtain process IDs for "java.exe" and "javaw.exe," alongside commands to set UTF-8 encoding and bypass PowerShell execution policy. Malicious payloads, such as a ProtonVPN executable and a side-loaded DLL, were deployed in public directories like C:\Users\Public\Downloads.

Further reconnaissance involved commands such as "whoami" and "net" to query user and domain information. Approximately an hour into the attack, Python malware disguised as "debug.exe" was deployed. Analysis revealed the malware used obfuscation techniques involving a lambda function and components of RPivot, a reverse SOCKS proxy. Sophos reported, "backdoors received commands from the remote connection over port 80, and another script (37_44.py) connected to a Tor relay." Attribution to FIN7 was based on obfuscation methods previously linked to FIN7-related Python malware loaders and the use of RPivot.

STAC5777, linked to the threat group Microsoft tracks as Storm-1811, exhibited distinct tactics, including more “hands-on-keyboard” activity. The group utilized help desk scams via Microsoft Teams to deploy ransomware, specifically Black Basta. After email bombing campaigns, attackers contacted victims through Teams, guiding them to install Microsoft Quick Assist for remote access. Once access was established, attackers downloaded additional payloads and staged files in directories such as C:\Users\<username>\AppData\Local\OneDriveUpdate\. Persistence was achieved by modifying the registry using "reg add" commands and creating a shortcut .lnk file in the startup folder via PowerShell.

The attackers used Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) to map the network and identify hosts of interest. Sophos reported, "At one organization, they used a targeted individual’s domain credentials to connect to the organization’s VPN from outside the network and then to log into RDP hosts within the network. At another organization, they used Windows Remote Management (WinRM) to perform lateral movement." The threat actors impaired defenses by disabling multi-factor authentication and unsuccessfully attempting to remove Sophos' security agent. They also exploited unsecured credentials stored in text files and utilized the "mstsc.exe" utility to access and edit Remote Desktop Protocol (.rdp) file configurations. These activities culminated in the deployment of Black Basta ransomware.

Sophos’ analysis of STAC5143 and STAC5777 highlights a trend of adversaries leveraging legitimate infrastructure and tools to enhance their operations. Understanding trending tactics, particularly social engineering, can help employees become aware of active threat actor techniques.