Hackers Deliver Ransomware Via Microsoft Teams Voice Calls on Windows

Sophos X-Ops’ Managed Detection and Response (MDR) team has uncovered two active threat actor groups, STAC5143 and STAC5777, leveraging Microsoft Office 365 features to execute highly coordinated ransomware and data theft operations.

These adversaries infiltrate organizations by exploiting default configurations of Microsoft Office 365 and Teams, employing a multifaceted attack strategy that includes email bombing, social engineering, and sophisticated malware deployment

Since November 2024, Sophos detected over 15 incidents involving these threat actors, with attacks escalating in recent weeks.

Both groups use Office 365 tenants they control to execute their campaigns and exploit Microsoft Teams’ default external communication setup, which allows them to initiate chat messages and video calls with employees in targeted organizations.

Their methods include overwhelming employee inboxes with spam emails (up to 3,000 messages in under an hour) and impersonating IT support through Microsoft Teams to gain system access remotely.

STAC5143 Activity: FIN7-Inspired, Java-Based Proxies

STAC5143, loosely aligned with the notorious FIN7 threat group, uses Microsoft Teams’ remote screen control feature to execute Java Archive (JAR) files.

These files extract Python-based malware from remote SharePoint repositories and use proxy tools like RPivot to establish command-and-control (C2) connections.

The attack chain involves:

1. Initial Access: Email-bombing followed by phishing calls via Teams.
2. Execution: JAR files deploy malicious payloads to install backdoors.
3. Persistence and Control: Java-based tools enable obfuscated PowerShell commands, network discovery, and data exfiltration through encrypted connections with IP addresses hosted internationally.

STAC5777’s Sophisticated Malware Deployment and Manual Control

STAC5777, identified in part as Storm-1811 by Microsoft, employs a more manual attack style.

Using Microsoft Quick Assist, the group engages directly with users through fake IT support sessions, guiding victims to install legitimate-looking tools that sideload malicious dynamic link libraries (DLLs).

The attack flow includes:

• Adjusting system registries and removing multi-factor authentication to evade detection.
• Deploying OneDriveStandaloneUpdater.exe, a legitimate Microsoft utility, to launch the malicious DLL (winhttp.dll), which exfiltrates credentials and user configurations.
• Scanning for lateral movement opportunities using Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM).

Notably, STAC5777 attempted to deploy Black Basta ransomware during one incident, which was blocked by Sophos endpoint protection.

The two threat clusters demonstrate similar entry points and social engineering techniques, focusing on creating a false sense of urgency through fake technical support calls.

After gaining initial entry, attackers deploy malware, manipulate system configurations, and siphon sensitive data while preparing environments for ransomware deployment.

Sophos has released malware detection updates for these campaigns ATK/RPivot-B and Troj/Loader-DV among others but organizations are advised to take proactive measures.

Sophos emphasized that the growing sophistication of these attack patterns requires a robust security approach combining technical controls, monitoring, and employee awareness to thwart ransomware and data exfiltration attempts.

Read more:

QR Code Scams Surge: A Growing Cybersecurity Threat

See more