Storm-0249 Escalates Ransomware Attacks With Clickfix, Fileless...
The threat actor known as Storm-0249 is likely shifting from its role as an initial access broker to adopt a combination of more advanced tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks.
"These methods allow them to bypass defenses, infiltrate networks, maintain persistence, and operate undetected, raising serious concerns for security teams," ReliaQuest said in a report shared with The Hacker News.
Storm-0249 is the moniker assigned by Microsoft to an initial access broker that has sold footholds into organizations to other cybercrime groups, including ransomware and extortion actors like Storm-0501. It was first highlighted by the tech giant in September 2024.
Then, earlier this year, Microsoft also revealed details of a phishing campaign mounted by the threat actor that used tax-related themes to target users in the U.S. ahead of the tax filing season and infect them with Latrodectus and the BruteRatel C4 (BRc4) post-exploitation framework.
The end goal of these infections is to obtain persistent access to various enterprise networks and monetize them by selling them to ransomware gangs, providing them with a ready supply of targets, and accelerating the pace of such attacks.
The latest findings from ReliaQuest demonstrate a tactical shift, where Storm-0249 has resorted to using the infamous ClickFix social engineering tactic to trick prospective targets into running malicious commands via the Windows Run dialog under the pretext of resolving a technical issue.
In this case, the command copied and executed leverages the legitimate "curl.exe" to fetch a PowerShell script from a URL that mimics a Microsoft domain to give victims a false sense of trust ("sgcipl[.]com/us.microsoft.com/bdo/") and execute it in a fileless manner via PowerShell.
This, in turn, results in the execution of a malicious MSI package with SYSTEM privileges, which drops a trojanized DLL associated with SentinelOne's endpoint security solution ("SentinelAgentCore.dll") into the user's AppData folder along with the legitimate "SentinelAgentWorker.exe" executable.
In doing so, the idea is to sideload the rogue DLL when the "SentinelAgentWorker.exe" process is launched, thereby allowing the activity to stay undetected. The DLL then establishes encrypted communication with a command-and-control (C2) server.
Storm-0249 has also been observed making use of legitimate Windows administrative utilities like reg.exe and
Source: The Hacker News
