Uncover the evolving tactics of Storm-0249, a threat actor that's now employing advanced techniques like ClickFix, fileless PowerShell, and DLL sideloading to orchestrate ransomware attacks. This shift from being an initial access broker to a more sophisticated operator raises serious security concerns. Storm-0249, identified by Microsoft, has a history of selling access to organizations to other cybercrime groups, including ransomware actors. Recently, Microsoft exposed a phishing campaign by this actor, targeting U.S. users with tax-related themes and infecting them with malware. The ultimate goal is to gain persistent access to enterprise networks and sell them to ransomware gangs, providing a steady stream of targets. ReliaQuest's recent findings reveal Storm-0249's new strategy: using ClickFix to trick users into running malicious commands. This technique, combined with fileless PowerShell execution and DLL sideloading, allows the actor to bypass defenses and maintain undetected operations. The use of legitimate Windows utilities and the trust associated with signed processes adds an extra layer of stealth. This tactical shift from mass phishing to precision attacks highlights the evolving nature of cyber threats and the need for security teams to stay vigilant. As ransomware groups like LockBit and ALPHV use system identifiers to bind encryption keys, the stakes are higher than ever. Don't miss out on the latest cybersecurity insights! Follow us on Google News, Twitter, and LinkedIn for exclusive content and thought-provoking discussions.
