Sophos researchers have detailed two new ransomware campaigns targeting corporate organizations, which use deceptive tactics to trick victims into providing remote access to their machines.
Tracked as STAC5143 and STAC5777, the campaigns are designed to overwhelm victims with massive volumes of spam emails, sometimes reaching up to 3,000 in less than an hour. Victims are then contacted via Microsoft Teams by someone pretending to be from the company's IT department, offering supposed assistance. The attacker encourages the victim to install remote access software, such as Quick Assist, or to enable screen sharing via Teams. This enables the attacker to take control of the victim's machine and install malware, which is typically used for data theft and extortion.
The first signs of the attacks emerged in November 2024, with Sophos noting that at least 15 incidents have been observed over the past three months, half of which occurred within the past two weeks. The attackers exploit a default Microsoft Teams configuration, which allows external domain users to initiate chats or meetings with internal users. Both STAC5143 and STAC5777 utilized their own Microsoft Office 365 service tenants to orchestrate the attacks.
While STAC5777 shares characteristics with the cybercriminal group Storm-1811, known for deploying Black Basta ransomware, STAC5143 is a previously unreported threat cluster with possible links to the notorious FIN7 group. Sophos has noted that STAC5143's tactics, techniques, and procedures (TTPs) exhibit some overlap with those of FIN7, though there are key differences in their attack strategies.
STAC5143 has used Python malware and obfuscation methods similar to those seen in previous FIN7 attacks, but the attack chain differs significantly. The targeted organizations are typically smaller and belong to industries not usually targeted by FIN7.
On the other hand, the STAC5777 campaign places more emphasis on "hands-on-keyboard" activity and scripted commands. The group also uses tools such as RDP and Windows Remote Management to access other machines within the victim's network. In at least one incident, the group deployed Black Basta ransomware to lock the victim's systems and demand a ransom.