Full Report
Sophos has warned of IT impersonation vishing attacks designed to remotely deploy ransomware
Analysis Summary
# Tool/Technique: Email Bombing and Teams Vishing Tactics (Associated with STAC5143 and STAC5777)
## Overview
This summary covers the multi-stage social engineering attack deployed by two ransomware-associated threat clusters, STAC5143 and STAC5777, observed since November 2024. The primary goal is gaining remote access to victim machines to facilitate data exfiltration and potential extortion, sometimes resulting in the deployment of Black Basta ransomware. The technique relies heavily on overwhelming the victim via email followed by targeted voice phishing (vishing) via Microsoft Teams.
## Technical Details
- Type: Technique/Procedure (Executed via Social Engineering/Malware deployment)
- Platform: End-user Desktops (Windows implied via Quick Assist, RDP, WinRM usage)
- Capabilities: Mass spam delivery ("Email Bombing"), Voice/Social engineering ("Vishing") via Microsoft Teams, Remote Access Software installation (e.g., Quick Assist), Malware deployment (Python malware, potentially Black Basta).
- First Seen: Incidents observed starting November 2024.
## MITRE ATT&CK Mapping
The attack chain primarily focuses on initial access and execution via social engineering:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Potentially involved in initial step, though the focus is on subsequent voice contact)
- **TA0006 - Credential Access** (Goal is gaining control which can lead to credential theft)
- T1003 - OS Credential Dumping (Implied if malware is installed)
- **TA0007 - Discovery** (Implied for STAC5777 activity)
- T1018 - Remote System Discovery
- **TA0011 - Command and Control** (Implied for C2 activity following initial access)
- T1071 - Application Layer Protocol
- **TA0004 - Privilege Escalation** (Implied follow-on)
## Functionality
### Core Capabilities
The attack sequence involves two main phases:
1. **Email Bombing:** Victims are bombarded with a large volume of spam emails (potentially up to 3000 in under an hour) to create confusion and an urgent scenario.
2. **Teams Vishing:** The victim is contacted via a Microsoft Teams call by an attacker posing as IT support, offering "assistance" to resolve the issue suggested by the spam wave.
3. **Remote Access Acquisition:** The attacker directs the victim to install remote access software like **Quick Assist** or use **Teams screen sharing** to gain unattended control of the machine.
### Advanced Features
- **STAC5143:** Associated with Python malware showing identical obfuscation methods used by FIN7. Sophos assesses medium confidence in its operational link to FIN7/Sangria Tempest. Known to use the **RPivot** tool previously.
- **STAC5777:** Exhibits more "hands-on-keyboard" command execution and utilizes standard Windows protocols like **RDP (Remote Desktop Protocol)** and **Windows Remote Management (WinRM)** for lateral movement within the network. This cluster was observed deploying **Black Basta ransomware** in at least one instance.
## Indicators of Compromise
*Note: The context provided focuses on TTPs rather than specific IoCs like hashes or C2 addresses, except for tool names.*
- File Hashes: [Not available in context]
- File Names: Remote access software like **Quick Assist** may be initiated or confirmed installed by the victim.
- Registry Keys: [Not available in context]
- Network Indicators: Use of **Microsoft Teams** for communication and potential use of **RDP/WinRM** for lateral movement.
- Behavioral Indicators: High volume of incoming spam, subsequent inbound Microsoft Teams calls claiming to be IT support, and observed use of remote access utilities following social engineering demands.
## Associated Threat Actors
- **STAC5143:** Previously unreported cluster, medium confidence link to **FIN7/Sangria Tempest**.
- **STAC5777:** Threat cluster showing links to actors known to deploy **Black Basta ransomware**.
## Detection Methods
- Signature-based detection: Not explicitly mentioned for the initial social engineering phase, but applicable for deployed malware (Python malware, Black Basta).
- Behavioral detection: Monitoring for unusual remote access tool execution (Quick Assist) initiated following unexpected communications (spam/Teams calls). Monitoring for mass inbound Teams calls from external/unknown sources.
- YARA rules: [Not available in context]
## Mitigation Strategies
- **Microsoft 365 Configuration:** Restrict Teams calls originating from outside the organization or limit them only to verified, trusted business partners.
- **Application Control:** Restrict the installation or unauthorized use of general remote access applications like Quick Assist.
- **Monitoring:** Actively monitor for sources of potentially malicious inbound traffic via Teams and Outlook.
- **User Training:** Update employee awareness programs to specifically address "Email Bombing" tactics aimed at conditioning victims for a follow-up "Vishing" call. Emphasize verifying the identity of technical support personnel and being wary of urgency tactics.
## Related Tools/Techniques
- **Quick Assist:** A legitimate remote access tool leveraged by the attackers.
- **RPivot:** A tool previously used by FIN7.
- **Black Basta:** Ransomware deployed by the STAC5777 cluster.
- **FIN7/Sangria Tempest:** Threat group potentially linked to STAC5143.
- **Vishing/Voice Phishing:** General category of the social engineering voice component.