Customer Advisory: An Attack, Leveraging Spam Email, Teams, SharePoint, and OneDrive, Potentially Linked to the Ransomware Group Sangria Tempest

Spearphishing via Service – Java-based Malware – Remote Access Tools – PowerShell Command Execution – Finance and Insurance – Other Services – All Industries

The Rundown

On November 12, the Deepwatch Threat Intel team analyzed a Hunters’ blog post detailing a social engineering campaign dubbed VEILDrive that leveraged Microsoft Teams, SharePoint, and OneDrive to infiltrate a U.S. critical infrastructure organization. 

Since then, the Deepwatch Adversary Tactics and Intelligence Team responded to nearly identical activity impacting a U.S.-based organization in the Finance and Insurance sector, with a potential link to the ransomware group Sangria Tempest (Fin7), a sophisticated group with Eastern European origins. 

This report highlights the attack chain used in these two attacks. Similar activity has been observed impacting a U.S.-based organization in the Other Services sector, where users’ inboxes were flooded with spam emails. This was followed by the attacker attempting to initiate Teams calls with the affected users.

Our recent observations show that the threat actors are actively employing similar tactics, techniques, and procedures we analyzed on November 12. The continued abuse of Teams, SharePoint, and OneDrive highlights a significant weakness in current detection frameworks, where cybercriminals leverage legitimate SaaS platforms to execute commands while evading advanced security measures.

Key Takeaways

• The attackers consistently leveraged Microsoft Teams, SharePoint, and OneDrive to deliver malicious payloads, highlighting a significant gap in detection frameworks if they fail to monitor legitimate SaaS platforms for misuse.
• The use of Java-based malware remained consistent across campaigns, but variations suggest an effort to obfuscate operations or target-specific customizations.
• In the Deepwatch observed attack, the attacker sent a flood of spam emails to increase engagement success rates, suggesting an attempt to overwhelm targets and bypass typical security awareness before employing direct impersonation via Teams.
• The attacks demonstrate an evolution in the techniques, indicating the attackers’ adaptability and increasing reliance on social engineering via trusted SaaS platforms.
• To enhance cyber resilience against similar attacks, recommendations include, but are not limited to educating employees on phishing and social engineering tactics, restricting external access in Microsoft Teams to trusted domains, and limiting remote administration tools, like Quick Assist, to approved use cases. 

Threat Actor Attribution

With a potential link to Sangria Tempest, the observed attacks potentially show the group’s advanced social engineering and evasion techniques, which leverage legitimate SaaS platforms, such as Microsoft Teams, SharePoint, and OneDrive, to evade detection. The group has been active since 2012, and has evolved its tactics over time. Initially deploying point-of-sale (PoS) and ATM malware to collect payment card information, the group has shifted to ransomware and data theft for double extortion. 

Analysis of the Attack Evolution

This analysis provides our recent observations and contrasts them with open-source reporting to highlight varying attack chains.

Comparison Table of Key Elements

Key Element	Previous Attack	Latest Attack
Entry Point	Microsoft Teams message to 4 employees	A flood of spam emails, followed by a Microsoft Teams message to 1 employee
Social Engineering	Described as Impersonating an IT team member	Posed as technical support
Persistence Mechanism	Scheduled task to run ROMServer.exe	No evidence of persistence setup
Payload	Cliento.jar (Java-based malware)	Post-Connect.jar (Java-based malware)
Command and Control	OneDrive	Network connections to 38.180.138[.]251. Post-Connect.jar includes references to OneDrive.

Initial Compromise

In the Deepwatch observed attack, the target received a large volume of spam emails. Then, the attacker used a compromised account from an external organization to send a Microsoft Teams message request to one employee in a U.S.-based Finance and Insurance organization, posing as technical support.

Upon the employee accepting the request, the attacker asked the employee to open Microsoft Quick Assist, a legitimate remote support tool many companies use for troubleshooting. The attacker provided an access code, and once the employee entered it, the attacker had full, interactive access to the employee’s computer without installing any initial malware.

In open-source intelligence (OSINT) reporting, the threat actor used a compromised account, impersonating an IT team member, from a different external organization to send a Microsoft Teams message request to four employees at a U.S. critical infrastructure organization. Only one of the four employees accepted the request. It is unknown if the attacker sent spam emails to the targets prior to sending the Teams message requests. It is also unknown if the tenants used in this attack were used in the Deepwatch observed attack.

Key Takeaway: The attackers leveraged similar social engineering techniques to gain access, though the scale and specifics of their approach evolved between incidents.

Maintaining Access

In OSINT reporting, the attacker’s next step was introducing additional tools to enable persistent access. The Deepwatch observed attack shows no evidence that the threat actor employed any of the following techniques, which aimed to maintain persistent access if the Quick Assist session ended.

Per OSINT reporting, the attacker sent the employee a link to a password-protected ZIP file hosted on a SharePoint tenant belonging to a compromised organization. However, it is unknown if this tenant was the same one used in the latest attack. The ZIP file contained various files, including a remote management tool, LiteManager (ROMServer.exe), which the attacker downloaded and launched during the session. This tool allowed the attacker to maintain control even if the Quick Assist session ended.

The attacker potentially used various Microsoft tenants in the previous attack and the attack Deepwatch observed might suggest that this activity is more widespread, impacting various organizations. While the activity is associated with Sangria Tempest, who has been known to deploy ransomware, some attacks may only serve as a means to target additional organizations and host malware. 

To solidify this access, the attacker set up a scheduled task named “Performance monitoring” on the employee’s system. This task ensured that ROMServer.exe would run every minute, creating a persistent backdoor for the attacker to re-establish access anytime.

schtasks /Create /TN "Perfomance monitoring" /SC MINUTE /TR C:\ProgramData\500000003\ROMServer.exe

Key Takeaway: The persistence techniques evolved, with no evidence of persistence setup in the latest attack, suggesting the attacker may be adapting their approach based on the target environment.

Deploying the Java Malware

In the Deepwatch observed attack, the threat actor sent a link to a SharePoint tenant belonging to a different compromised organization. Then we observed a ZIP file named Post-Connect.zip was downloaded to the target’s Downloads folder, indicating that the SharePoint site hosted the ZIP file. This ZIP file likely contained the Java Development Kit (JDK) and the malicious Java Archive (JAR) file named Post-Connect.jar, as the malware was subsequently saved to the ProgramData folder.  

Immediately following this, we identified network connections to 38.180.138[.]251:80. This IP address was found hardcoded in Post-Connect.jar, indicating that the malware was executed. This activity produced a Microsoft Defender Alert with the title “Ransomware-linked Sangria Tempest threat activity group detected,” triggering Deepwatch Adversary Tactics and Intelligence Teams engagement. 

According to OSINT reporting, after creating a scheduled task, the attacker deployed Cliento.jar as the primary payload. The attacker used Microsoft Teams to send a link to a ZIP file hosted on a different compromised organization, instructing the employee to download and open the file, which contained Cliento.jar along with a JDK to ensure compatibility. It is unclear whether the SharePoint tenant used in this instance was the same as in the latest attack. 

Then, the attacker likely leveraged a remote access tool to execute the following command to launch Cliento.jar. While we did not observe the command the attacker executed to launch Post-Connect.jar, it’s likely similar to the one below.

C:\ProgramData\Cliento\jdk-22_windows-x64_bin\jdk-22.0.2\bin\javaw.exe -jar C:\ProgramData\Cliento\Cliento.jar

In the Deepwatch observed attack, no further activity was observed. However, the following activity was detailed in open-source reporting. It’s possible future attacks may involve similar activity. 

Next, the attacker modified the registry on the infected computer, adding a run key to ensure that Cliento.jar would automatically launch whenever the computer restarted. This registry modification was a final step in cementing the malware’s persistence on the system.

Set-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"current\" -Value \"C:\\ProgramData\\Cliento\\jdk-22_windows-x64_bin\\jdk-22.0.2\\bin\\javaw.exe -jar C:\\ProgramData\\Cliento\\Cliento.jar\" -ErrorAction Stop"

Key Takeaway: While we did not observe the activity described above, attacks involving similar tactics, techniques, and procedures may include them. In addition, while neither Hunters nor Deepwatch observed malicious activity following the execution of the malware and persistence, attacks may involve the threat actors uploading a ZIP file to the target’s SharePoint, and using compromised accounts to contact external organizations. Additional activity may also include lateral movement, data theft, and possible deployment of ransomware. 

Post-Connect.jar vs. Cliento.jar

Based on the Deepwatch Adversary Response and Intelligence Team’s analysis of Post-Connect.jar and comparing it to the analysis published in open-source reporting, Post-Connect.jar is likely similar to, if not the same as, Cliento.jar. While we were unable to obtain the file Cliento.jar for additional comparative analysis, OSINT screenshots show classes with the same names and the code contains references that appear to perform the same functions as Cliento.jar.

While analyzing Post-Connect.jar, the Deepwatch Threat Intel team discovered several other Java Archive (JAR) files on VirusTotal. Assuming that these JAR files perform the same functions as Post-Connect.jar and Cliento.jar, the file names, like “EmailClean.jar,” “RuleFix.jar,” and “MailQueue-Handler.jar,” suggest they are being used in spam bombing social engineering attacks of users before sending a Teams message request. 

Key Takeaway: The malware used in both attacks exhibited similar functionality, though the naming conventions and potentially some operational aspects may vary.

Actions & Recommendations

Deepwatch experts continuously monitor for threats to our customers and their environments. Based on our intelligence analysis, the Adversary Tactics and Intelligence team may develop and update detection signatures and add malicious observables to our indicator feeds. We may also use this intelligence to conduct threat hunting. However, Deepwatch experts can not discover all activity due to limitations in the log sources that Deepwatch receives.

We recommend the following actions to enhance cyber resilience:

• Employee education:
  • Regularly educate employees about security best practices and social engineering and phishing techniques. Instruct employees to be on the lookout for anything suspicious, such as messages from unknown organizations, and links being shared from a different domain than the one the message sender is from.
    • In these attacks, the message requester’s Teams account’s domain was different from the SharePoint domain the threat actor shared with the target. 
  • Ensure employees are aware of how IT support issues are handled, when and how IT support will contact employees, and the proper procedures to report issues.
    • In the latest attack, the attackers flooded the target’s email with spam mail, then contacted them via Teams, impersonating technical support personnel. 
• Restrict external access:
  • Restrict external access in Microsoft Teams to trusted domains and whitelist necessary applications.
  • Limit remote administration tools to specific, approved applications required for business purposes. Quick Assist is easily downloadable from the Microsoft Store; consider blocking its use if it’s not an approved application.
  • Consider monitoring organizationally approved remote management tools for unusual or unauthorized use. For example, if Quick Assist is used but not for remote support, it should trigger an alert.
• Layered security controls: Deploy multiple layers of security, including firewalls, Endpoint Detection and Response (EDR), intrusion detection/prevention systems (IDS/IPS), antivirus, and behavioral monitoring.
• Application and task whitelisting: Implement strict whitelisting to prevent unauthorized applications from executing. Regularly audit scheduled tasks and jobs for unauthorized entries and restrict modifications to administrators only.
• Endpoint and registry monitoring: Monitor and restrict changes to registry run keys and startup folders using endpoint security tools that can detect and block unauthorized modifications. Monitor WMI activity and restrict execution to trusted administrators via Group Policy.
• Disable and/or restrict the use of the command line and PowerShell. Update to the latest version and uninstall all earlier PowerShell versions.
• Detection and monitoring of known threats: Ensure that detection rules and security solutions can monitor malicious behavior described and consider blocking known atomic and computed indicators associated with specific attacks.

Technical Artifacts

We recommend that all customers retrospectively hunt for malicious activity, which will likely indicate compromise, using the Be On the Lookout (BOLO) guidance provided below:

• Messages sent in a one-on-one Teams chat by external users from unexpected or non-common domains.
• Sharing links, like SharePoint, in Teams chat where the link’s domain does not match the domain of any of the participants.
• The creation of a scheduled task that executes ROMServer.exe or other suspicious files.
• javaw.exe spawning Powershell with specific flags like -ExecutionPolicy Bypass, _NoExit, or -NoProfile.
• Outbound network traffic to 38.180.138[.]251.
• Post-Connect.jar SHA256 hash: 01e97e16f7fc6745d34a3c4903d756dfeca93b2c114898525b4e8402f977df01

Threat Object Mapping

Intrusion Set:

• Sangria Tempest / FIN7

Campaign:

• VEILDrive

Attack Pattern (MITRE ATT&CK):

• T1566.003: Phishing: Spearphishing via Service
• T1204.002: User Execution: Malicious File
• T1059.007: Command and Scripting Interpreter: JavaScript
• T1059.001: Command and Scripting Interpreter: PowerShell

Infrastructure:

• 38.180.138[.]251
• Microsoft 

Malware/Tool:

• Quick Assist
• Post-Connect.jar

↑