Microsoft has identified a phishing campaign by Russian threat actor Storm-0978 targeting defense and government agencies in Europe and North America. It's about financial data and espionage in the attack.
Storm-0978 (DEV-0978; also referred to by others as RomCom, the name of their backdoor) is a Russia-based cybercriminal group known for conducting opportunistic ransomware and extortion operations, as well as credential-targeting attacks. Storm-0978 operates, develops and distributes the RomCom backdoor. The actor also deploys the underground ransomware, which is closely related to the Industrial Spy ransomware, which was first observed in the wild in May 2022. The actor's last campaign, discovered in June 2023, involved the abuse of CVE-2023-36884 to provide a backdoor with similarities to RomCom.
Russian Storm-0978 takes targeted action
Storm-0978 is known to target organizations with trojanized versions of popular legitimate software, which leads to installation of RomCom. Storm-0978's targeted operations impacted government and military organizations primarily in Ukraine, as well as organizations in Europe and North America that may be involved in Ukrainian affairs. Identified ransomware attacks have affected the telecom and financial industries, among others.
Storm-0978 tools and TTPs
🔎 Storm-0978 emails used Ukrainian World Congress and NATO topics (Image: Microsoft).
Storm-0978 uses trojanized versions of popular, legitimate software. Observed examples of trojanized software are Adobe products, Advanced IP Scanner, Solarwinds Network Performance Monitor, Solarwinds Orion, KeePass, and Signal. In order to provide the trojanized installers for deployment, Storm-0978 typically registers malicious domains that mimic the legitimate software (e.g., the advanced-ip-scaner[.]com malicious domain).
In financially motivated ransomware attacks, Storm-0978 uses Industrial Spy ransomware, a ransomware variant first observed in the wild in May 2022, and Underground ransomware. The actor has also used the Trigona ransomware in at least one identified attack.
Additionally, due to the attributed phishing activities, Storm-0978 has acquired exploits targeting zero-day vulnerabilities. Identified exploit activities include abuse of CVE-2023-36884 , including a remote code execution vulnerability, which was exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities that help bypass a security feature.
ransomware activity
In known ransomware intrusions, Storm-0978 has accessed credentials by dumping password hashes from the Security Account Manager (SAM) through the Windows registry. To access SAM, attackers must acquire SYSTEM-level privileges. Microsoft Defender for Endpoint detects this type of activity with alerts such as "SAM registry hive export". Storm-0978 then leveraged the Impacket framework's SMBExec and WMIExec functionalities for lateral movement.
Microsoft has linked Storm-0978 to its past management of the Industrial Spy and Crypter ransomware market. However, as early as July 0978, Storm-2023 began using a ransomware variant called Underground, which has significant code overlap with the Industrial Spy ransomware. The code similarity between the two ransomware variants, as well as Storm-0978's previous involvement in Industrial Spy operations, could indicate that Underground is a renaming of Industrial Spy ransomware.
Phishing campaign in June 2023
Storm-0978 ran a phishing campaign using a fake OneDrive loader to inject a backdoor with RomCom-like similarities. The phishing emails were targeted at defense and government agencies in Europe and North America and contained bait related to the Ukrainian World Congress. These emails led to exploitation of the CVE-2023-36884 vulnerability.
Notably, during this campaign, Microsoft identified concurrent, separate Storm-0978 ransomware activities against an unrelated target that used the same initial payloads. Subsequent ransomware activity against a different victim profile underscores the diverse motivations observed in Storm-0978 attacks.
More at Microsoft.com
About Microsoft Germany Microsoft Deutschland GmbH was founded in 1983 as the German subsidiary of Microsoft Corporation (Redmond, USA). Microsoft is committed to empowering every person and company in the world to achieve more. This challenge can only be mastered together, which is why diversity and inclusion have been firmly anchored in the corporate culture from the very beginning. As the world's leading manufacturer of productive software solutions and modern services in the age of intelligent cloud and intelligent edge, as well as a developer of innovative hardware, Microsoft sees itself as a partner to its customers to help them benefit from the digital transformation. Security and data protection have top priority when developing solutions. As the world's largest contributor, Microsoft is driving open source technology through its leading developer platform GitHub. With LinkedIn, the largest career network, Microsoft promotes professional networking worldwide.