.png)
Sophos researchers recently identified a new trend of ransomware groups using teams calls to try and gain remote access to devices to carry out data exfiltration and extortion. STAC5143 and STAC5777 have both been identified as using similar tactics with both of these groups having connections to other APTs.
The attack begins with the victim receiving a flood of spam emails designed to panic and confuse the victim, some victims have reported to receive up to 3000 emails an hour. Then the attacker contacts the victim via teams claiming to be a member of the IT team saying that they can fix the issue and that all they need to do is either download a remote access tool or use teams screen sharing and then allow them to take control. Once they have gained control the attacker will install malware with the intention to exfiltrate as much data as possible before extorting the company.
Sophos claims that over 15 of these kinds of attacks have been carried out since November 2024 with half of them coming since the start of 2025. While STAC5143 and STAC5777 both use similar tactics, there are some differences. STAC5143 have possible links to APT FIN7 as they both use the same Python based malware however both APTs go for different targets so this can only be claimed with medium confidence. STAC5777 is different from STAC5143 in that they rely more on scripts and using RDP and Windows remote management software to carry out their attacks and have even deployed blackbasta ransomware on one occasion.
Sophos recommend that organisations should ensure that Microsoft 365 is correctly configured to block teams’ messages and communications from outside of there network or only to trusted organisations in there supply chain to prevent and outsider from impersonating IT support. They should also block popular remote access tools from being used on there network and further monitor possible inbound traffic via teams and outlook.
Comments