In recent months, the threat landscape has evolved with ransomware campaigns exploiting the functionalities of Microsoft’s Office 365 platform, with two particular groups of threat actors becoming prominent. Sophos X-Ops’ Managed Detection and Response (MDR) has been actively responding to incidents linked to these actors, tracking their activities to prevent data theft and ransomware deployment. These groups, identified as STAC5143 and STAC5777, have ingeniously utilized Office 365 tools like Microsoft Teams and Quick Assist to exploit organizational vulnerabilities and deploy malicious software. This article explores their tactics, from their initial entry to final execution, detailing the steps they take to compromise systems.
1. Initial Entry
In early November, an employee at a Sophos MDR customer organization reported to her internal IT contact that they had received an exceptionally large volume of spam messages—over 3,000 in a 45-minute period. Shortly after that, they received a Teams call from outside their organization, from an account named “Help Desk Manager.” As the organization used a managed service provider for IT services, this did not set off red flags with the employee who accepted the video call. During the call, the threat actor instructed the employee to allow a remote screen control session through Teams. Through this remote-control session, the attacker was able to open a command shell and drop files and execute malware, deploying them from an external SharePoint file store. The files included Java archive (JAR) files and a .zip archive containing Python code and other components.
A sophisticated mechanism allowed the threat actor to manipulate the Office 365 functionality seamlessly, tricking the victim into granting access to their system. The initial step, bombarding the victim with relentless spam, created an urgent need to seek help. The subsequent call from a seemingly legitimate “Help Desk Manager” solidified their deceptive strategy, enabling access without raising suspicions. This initial breach facilitated the deployment of malware, setting the stage for deeper system exploitation. The scenario highlights the critical vulnerabilities in organizations’ defenses and the importance of verifying unknown contacts, especially those requesting remote access to sensitive systems.
2. First Stage Execution
The threat actor executed the JAR file from a command shell opened during the remote session with a copy of the legitimate javaw.exe, a Java “headless” runtime that interprets and executes Java code with no console output. This method leveraged the legitimate Java runtime, ensuring that their activities remained under the radar of standard detection mechanisms. Executing the JAR file initiated a chain of malicious operations designed to establish control and gather information about the compromised system.
Using legitimate software to execute malicious code is a common tactic among advanced threat actors, as it helps them avoid detection by security software. In this case, utilizing javaw.exe allowed the attacker to bypass many security measures that might alert to the presence of unauthorized software. The execution of the JAR file was a critical step, enabling the threat actors to install malicious payloads that could exploit further system vulnerabilities. This blend of legitimate software with malicious intent underscores the sophistication of these attacks and the need for robust security measures that can detect abnormal usage patterns within authorized applications.
3. Command and Control Setup
Via the Java-based proxy in MailQueue-Handler.jar, the attacker identified the process ID for javaw.exe using the Windows Management Instrumentation command line utility (WMIC.exe). The attacker then changed the code page for the active console window to “65001” to allow UTF-8 encoding for multilingual input and output support. This was likely used along with PowerShell execution policy bypass to allow encoded commands to be executed and evade AMSI detection.
This maneuver involved strategic alterations to system settings using legitimate, built-in tools of the Windows operating system. By changing the code page and utilizing PowerShell execution policy bypass, the threat actor could customize their command execution environment, optimizing it for future malicious activities. The evasion of AMSI detection further demonstrates the expertise involved in these operations, as bypassing antivirus and prevention tools is crucial for maintaining prolonged, undetected access to the compromised system. Such tactics highlight the attacker’s capability to blend into normal system operations subtly, making detection challenging for conventional security tools.
4. Download and Extraction
The Java code then ran a series of PowerShell commands that downloaded a 7zip archive and the 7zip archiving utility. The utility was then used to extract the archive’s contents—a ProtonVPN executable and a malicious DLL (nethost.dll) side-loaded by the Proton executable. This stage of the attack was methodologically executed to deploy additional malicious components onto the compromised system, thus fortifying the attack infrastructure.
Downloading and extracting additional payloads using tools like 7zip facilitated the loading of a robust malware framework. ProtonVPN, a legitimate piece of software, was repurposed to execute the malicious DLL, demonstrating a typical tactic of leveraging trusted software for nefarious purposes. This approach of using side-loading techniques allows malicious actors to manipulate trusted applications, embedding harmful code without triggering alarms commonly set for rogue executables. This stage represents the consolidation phase of the attack, where the attacker’s foothold on the system is strengthened through the deployment of sophisticated tools capable of further exploitation and data exfiltration.
5. Discovery Phase
The attacker then obtained the target’s username using whoami.exe, and discovered network resources the user has access to via the net user command. This phase of the attack was crucial for understanding the compromised environment, as gathering information about the user and network resources enabled the attacker to plan subsequent actions strategically.
Using tools inherent to the Windows operating system—whoami.exe and net.exe—the attacker could efficiently map the network, identify valuable targets, and discern the level of access and control they could potentially achieve. The discovery phase plays a pivotal role in structuring an attack, as understanding the scope and scale of the compromised environment allows the attacker to prioritize targets and optimize their strategy for maximum impact. Identifying network resources available to the user provides insights into possible lateral movement, enabling the attacker to propagate the infection across the network swiftly.
6. Sideload / Command and Control
The Java code then launched the ProtonVPN executable to sideload nethost.dll, which created sessions connecting to virtual private servers hosted in Russia, the Netherlands, and the US. This behavior triggered Sophos endpoint protection behavioral detections for an unsigned DLL sideload. The establishment of command and control channels was a significant milestone in the attack, as it allowed the attacker to interact with the compromised system remotely.
Connecting to virtual private servers in various locations provided the attackers with a dispersed infrastructure, complicating attribution and takedown efforts by cybersecurity professionals. The connections made to servers in different countries also highlight the global nature of these threats, leveraging diverse and geographically widespread resources to maintain operational security. The use of ProtonVPN and the sideloading of nethost.dll exemplify the sophisticated methods employed to avoid detection and ensure persistent control over the compromised system, demonstrating the need for comprehensive, behavior-based detection mechanisms.
7. Second Stage Execution
The code from the JAR next opens another cmd.exe session, again configuring it for UTF-8, and executes a second Java .jar file (identity.jar) with javaw.exe, passing the target user’s username and Active Directory domain as parameters to the second-stage Java code. This stage marked the transition to deeper system compromise, leveraging the compromised system’s identity data to execute further harmful operations.
Executing the second-stage Java .jar file involved advanced configuration changes to facilitate the execution of encoded commands, further reinforcing the attacker’s control over the system. By passing user-specific parameters, the threat actors tailored their operations to the compromised environment, ensuring that the deployed payloads were optimally configured for the targeted system. This level of customization underscores the precision and adaptability of modern ransomware campaigns, highlighting the necessity for dynamic and resilient defensive strategies.
8. Python Payload Deployment
An hour later, the tar.exe archive utility was used by the second-stage Java payload to extract files from the dropped file winter.zip to C:\ProgramData. This was the Python malware payload being deployed. In addition, a series of commands were run to perform local user and network discovery—obtaining the name of network domain servers and their IP address. This phase involved deploying Python scripts, integral components of the final execution stage.
Using the tar.exe utility to extract the payload underscores the continued use of legitimate tools to facilitate malicious activities. By deploying Python malware, the attackers added another layer of sophisticated, flexible scripting that could be tailored to perform a variety of harmful functions, including further network discovery and exploitation. The focus on local user and network information collection highlights the attackers’ strategy of accumulating as much information as possible to plan and execute subsequent phases of their malicious campaign.
9. Final Execution
In recent months, the threat landscape for cybersecurity has evolved, with ransomware campaigns increasingly targeting Microsoft’s Office 365 platform. Notably, two groups of cybercriminals have become prominent players in this arena. Sophos X-Ops’ Managed Detection and Response (MDR) team has been actively tackling incidents tied to these groups, closely monitoring their actions to prevent data theft and the deployment of ransomware.
These cybercriminal groups, identified as STAC5143 and STAC5777, have adeptly exploited various Office 365 tools, including Microsoft Teams and Quick Assist, to identify and leverage vulnerabilities within organizations and spread their malicious software. They have displayed a high degree of ingenuity and technical sophistication in their tactics.
This article delves into the specific strategies employed by these threat actors, covering the different stages from initial entry to the final execution of their attacks. It outlines the comprehensive steps these groups take to infiltrate, compromise, and ultimately exploit systems, offering valuable insights into their methods.
By understanding their approaches, organizations can better prepare defensive strategies against such threats, emphasizing the importance of robust security measures and constant vigilance to protect sensitive data and infrastructure from these evolving cyber threats.
