Storm-0324 threat actor distributes malware via Microsoft Teams chats

Reading time icon 2 min. read

Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more

A financially motivated threat actor known as Storm-0324 is distributing malware via Microsoft Teams chats, according to a new blog post from Microsoft. 

The actor is known to gain initial access to networks using email-based infection vectors, and then hand off access to other threat actors, such as ransomware groups.

In case you missed it, in July 2023, Storm-0324 was observed using an open-source tool to send phishing lures through Microsoft Teams chats. 

The lures typically contain malicious links that, when clicked, download malware onto the victim’s computer. The malware can then be used to steal sensitive data, install ransomware, or take other actions. 

In this case, it appears legitimate from the first glance, but when clicked, it leads to SharePoint-hosted files that contain malware. 

“Storm-0324 has used many file formats to launch the malicious JavaScript including Microsoft Office documents, Windows Script File (WSF), and VBScript, among others,” the report reads. 

Storm-0324 group has been active since at least 2016 and has been linked to several high-profile attacks — including a few banking trojans, as well as Sage and GandCrab ransomware.

Microsoft has also released the findings of its investigation into the Chinese threat actor Storm-0558. The actor exploited a zero-day validation issue in the GetAccessTokenForResourceAPI, which has since been patched.

Leave a Reply

Your email address will not be published. Required fields are marked *