Storm-1811
Associated Group Descriptions |
|
Name | Description |
---|---|
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
Storm-1811 has performed domain account enumeration during intrusions.(Citation: Microsoft Storm-1811 2024) |
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Storm-1811 has created domains for use with RMM tools.(Citation: rapid7-email-bombing) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.(Citation: rapid7-email-bombing) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Storm-1811 has used PowerShell for multiple purposes, such as using PowerShell scripts executing in an infinite loop to create an SSH connection to a command and control server.(Citation: rapid7-email-bombing) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Storm-1811 has used multiple batch scripts during initial access and subsequent actions on victim machines.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing) |
||
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Storm-1811 has locally staged captured credentials for subsequent manual exfiltration.(Citation: rapid7-email-bombing) |
Enterprise | T1585 | .003 | Establish Accounts: Cloud Accounts |
Storm-1811 has created malicious accounts to enable activity via Microsoft Teams, typically spoofing various IT support and helpdesk themes.(Citation: Microsoft Storm-1811 2024) |
Enterprise | T1048 | .002 | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Storm-1811 has exfiltrated captured user credentials via Secure Copy Protocol (SCP).(Citation: rapid7-email-bombing) |
Enterprise | T1222 | .001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
Storm-1811 has used `cacls.exe` via batch script to modify file and directory permissions in victim environments.(Citation: rapid7-email-bombing) |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
Storm-1811 has deployed a malicious DLL (7z.DLL) that is sideloaded by a modified, legitimate installer (7zG.exe) when that installer is executed with an additional command line parameter of `b` at runtime to load a Cobalt Strike beacon payload.(Citation: rapid7-email-bombing) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
Storm-1811 has disguised Cobalt Strike installers as a malicious DLL masquerading as part of a legitimate 7zip installation package.(Citation: rapid7-email-bombing) |
.010 | Masquerading: Masquerade Account Name |
Storm-1811 has created Microsoft Teams accounts that spoof IT support and helpdesk members for use in application and voice phishing.(Citation: Microsoft Storm-1811 2024) |
||
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Storm-1811 XOR encodes a Cobalt Strike installation payload in a DLL file that is decoded with a hardcoded key when called by a legitimate 7zip installation process.(Citation: rapid7-email-bombing) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Storm-1811 acquired various legitimate and malicious tools, such as RMM software and commodity malware packages, for operations.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing) |
Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
Storm-1811 has distributed malicious links to victims that redirect to EvilProxy-based phishing sites to harvest credentials.(Citation: Microsoft Storm-1811 2024) |
.003 | Phishing: Spearphishing via Service |
Storm-1811 has used Microsoft Teams to send messages and initiate voice calls to victims posing as IT support personnel.(Citation: Microsoft Storm-1811 2024) |
||
.004 | Phishing: Spearphishing Voice |
Storm-1811 has initiated voice calls with victims posing as IT support to prompt users to download and execute scripts and other tools for initial access.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024) |
||
Enterprise | T1219 | .002 | Remote Access Tools: Remote Desktop Software |
Storm-1811 has abused multiple types of legitimate remote access software and tools, such as ScreenConnect, NetSupport Manager, and AnyDesk.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing) |
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Storm-1811 has attempted to move laterally in victim environments via SMB using Impacket.(Citation: rapid7-email-bombing) |
.004 | Remote Services: SSH |
Storm-1811 has used OpenSSH to establish an SSH tunnel to victims for persistent access.(Citation: Microsoft Storm-1811 2024) |
||
Enterprise | T1204 | .002 | User Execution: Malicious File |
Storm-1811 has prompted users to execute downloaded software and payloads as the result of social engineering activity.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024) |
References
- Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
- Red Canary Intelligence. (2024, December 2). Storm-1811 exploits RMM tools to drop Black Basta ransomware. Retrieved March 14, 2025.
- The Red Canary Team. (2024, June 20). Intelligence Insights: June 2024. Retrieved March 14, 2025.
- Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.