Ransomware Actors Leverage Microsoft Tools to Breach Organizations, Deploy Black Basta

• Security researchers observed two threat groups abusing Microsoft Teams default configurations to gain internal access to organization employees.
• Impersonating internal tech support, the hackers made use of remote access tools to download executables.
• Finally, they sideloaded malicious DDLs and deployed either Black Basta or similar ransomware. 

Two ransomware threat actors, tracked as STAC5143 and STAC5777, leverage Microsoft 365 services and exploit default Microsoft Teams configurations to breach organizations' systems. Once inside, they download a ProtonVPN executable or legitimate Microsoft executables and sideload a malicious DLL.

These groups coordinated at least 15 attacks over the past three months, potentially aiming for ransomware deployment or data theft, Sophos researchers have discovered.

The attackers targeted enterprises by abusing a default Microsoft Teams configuration that allowed them to initiate conversations with internal users. Impersonating tech support, they used legitimate Microsoft tools to establish remote access, enabling them to compromise systems and advance their malicious goals.  

The activity of STAC5143 was first observed in November 2024, starting with a large-scale spam campaign followed by direct Microsoft Teams engagement. The attackers posed as "Help Desk Manager" and initiated Teams calls to victims.  

During the calls, STAC5143 requested a remote screen control. Once approved, the attackers opened command shells, dropped malicious files, and executed malware. 

Sophos documented their use of PowerShell commands to download a ProtonVPN executable and sideload a malicious DLL. This infection stage set the groundwork for deploying Python-based backdoors and running commands for user and network discovery.

While STAC5143’s techniques overlapped with those used by known groups like FIN7/Sangria Tempest, Sophos noted distinct differences in the attack chain and target profile. The actor also appeared to mimic elements of Black Basta ransomware’s (Storm-1811) methods.  

The STAC5777 group used a similar approach, bombarding employees with spam messages before contacting them on Microsoft Teams. They posed as internal IT team members seeking to resolve spam issues. However, STAC5777 relied more heavily on "hands-on-keyboard" tactics in live attacks.  

Sophos observed that during Teams calls, employees were instructed to install Microsoft Quick Assist, enabling attackers to establish remote access. Once inside the system, STAC5777 deployed a chain of payloads, including legitimate Microsoft executables, unsigned DLLs from OpenSSL Toolkit, and malicious DLLs designed to capture system and user data.  

The group further conducted reconnaissance operations, viewing configuration files, extracting credentials, and examining network architecture diagrams. Sophos also documented an attempted execution of Black Basta ransomware in one instance.