Two ransomware campaigns tracked using 'email bombing,' Microsoft Teams 'vishing'
Essential information
- Published
- 21/01/2025 12:40
- Modified
- 21/01/2025 17:16
- Tags
- 2025-01-21 black basta email bombing microsoft teams office 365 ransomware stac5143 stac5777 vishing
- Related entities
- 15 observables, 1 intrusion sets (apt), 7 techniques (mitre), 1 malware
Description
Sophos MDR has identified two threat clusters, STAC5143 and STAC5777, utilizing Microsoft Office 365 to gain unauthorized access to organizations. Both groups employ email bombing and fake tech support social engineering via Microsoft Teams to deliver malware. STAC5143 uses Java and Python-based tools, possibly linked to FIN7. STAC5777 employs Microsoft Quick Assist for remote access and deploys malware through a legitimate Microsoft updater. This group has connections to the Black Basta ransomware. Both clusters aim to steal data and deploy ransomware, using similar tactics but different tools and malware. The report details their attack chains, malware analysis, and attribution, highlighting the need for improved security measures and employee awareness.