CTI Roundup: Rise in File Hosting Services Attacks, Mamba 2FA, and Dark Angels Ransomware

This week, CTI recaps Microsoft’s recent warning about increased campaigns abusing legitimate file hosting services like SharePoint, OneDrive, and Dropbox to evade detection. Next, CTI looks at an ongoing phishing campaign that leverages HTML attachments that mimic Microsoft 365 login pages. Finally, CTI wraps up with an overview of the Dark Angels ransomware group.

File hosting services enable business email compromise attacks

Microsoft is warning of increased campaigns abusing legitimate file hosting services like SharePoint, OneDrive, and Dropbox to evade detection.

According to Microsoft, the attacks increasingly involve files with restricted access and view-only restrictions. While these campaigns vary, they all share a similar end goal: compromising identities to carry out BEC attacks.

How are file hosting services being used for BEC attacks?

Microsoft observed numerous campaigns misusing legitimate file hosting services. These campaigns increasingly leverage files with restricted access and/or view-only restrictions. The campaigns are opportunistic in nature and ultimately aim to obtain identities that can be used for BEC attacks.

The files are delivered in several ways, including email and email attachments. Files with restricted access are sent via phishing emails and set only to be accessible by the intended recipient. As such, the recipient must be signed in to the file-sharing service (Dropbox, OneDrive, SharePoint) or reauthenticate.

Files with view-only restrictions are used to attempt to bypass email detonation systems. These files disable the ability to download the file, making it more difficult for tools to detect URLs embedded within the file.

Initial access

The attack will typically begin with a compromised user of a trusted vendor. The actor will then host a file on that vendor’s file hosting service and share it with a target organization.

Microsoft determined that these emails typically use topics based on existing conversations and content and use a sense of urgency to entice victims to interact with these files.

[Read also: What is social engineering in cybersecurity? A comprehensive guide]

After sharing the file, the targeted victim will receive an email from the legitimate file-sharing service stating that a file has been shared with them. That email is not necessarily phishing but leads to a phishing scenario.

Identity compromise

After a victim accesses the shared file, they are prompted to verify their identity through a one-time passcode.

After authorization, they can view the document by clicking on a link. The link redirects to a phishing page, where the victim is again asked to provide their username and password and complete multi-factor authentication (MFA). The actor steals this MFA token in the process, which can be used to carry out the next phase of a BEC attack.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Threat actors have been weaponizing legitimate services like those called out by Microsoft for some time now. Microsoft’s report indicates that this trend is continuing with the addition of new defense evasion tactics like the use of files with restricted access and view-only restrictions.

The methods Microsoft calls out in its report require the victim to take a few extra steps, such as verifying their identity to authenticate, clicking on additional links, and entering their credentials on a phishing page. This gives potential victims a few extra opportunities to catch on to the fact that this may be a threat but still inherently seeks to abuse a level of trust established with known vendors.

Microsoft offers some recommended actions and helpful hunting queries to help detect and respond to this threat.

Mamba 2FA threatens global organizations

Sekoia’s latest report details an ongoing phishing campaign using HTML attachments that mimic Microsoft 365 login pages.

The phishing pages themselves relayed MFA methods and leveraged the Socket.IO JavaScript library to communicate via WebSockets with a backend server. The attack first appeared related to the Tycoon 2FA Phishing as a Service (PhaaS) platform. Still, a deeper investigation revealed that it is related to a previously unknown adversary-in-the-middle (AiTM) phishing kit called Mamba 2FA.

Characteristics

As of October, the URLs associated with the Mamba 2FA phishing kit follow the structure {domain}/{m,n,o}/?{Base64 string}. The phishing page is only displayed if valid Base64 parameters are present and will otherwise be blank.

If the kit detects a sandbox, it will redirect to a Google 404 page. The email addresses to be targeted can be added to the end of the URL. In that case, the email is pre-filled in the displayed login form. Sekoia has determined that the phishing page can appear as one of four types, depending on a parameter included in the URL.

As of October 2024, Mamba 2FA’s infrastructure has two layers: link domains and relay servers.

Mamba 2FA capabilities

Mamba 2FA has similar capabilities to other popular phishing kits, including:

• It handles two-step verification for MFA methods like one-time codes and app notifications
• It supports Entra ID, Active Directory Federation Services (AD FS), third-party SSO providers, and consumer Microsoft accounts
• It can dynamically reflect an organization’s custom login page branding in its phishing pages
• It sends credentials and/or cookies to the attacker through a Telegram bot

Commercialization

Mamba 2FA is being sold on Telegram as a subscription model. Customers of the kit are given access to the associated Telegram bot that will help generate phishing links and HTML attachments.

The server operator maintains the infrastructure that hosts the pages, and the domains are not for a specific customer. Instead, they are used as a shared pool.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Phishing kits like Mamba 2FA are a big part of why phishing remains a top threat. These kits make it easy for actors of all sophistication levels to conduct phishing emails without the hassle of creating and maintaining the actual pages and infrastructure.

Sekoia also reveals that the domains used by Mamba 2FA are usually “reported and blocked by security solutions after a few days of use,” making blocking associated domains a game of whack-a-mole.

Dark Angels ransomware group conducts targeted attacks

According to Zscaler, the Dark Angels ransomware group began launching attacks in April 2022 and has been conducting targeted attacks ever since.

Zscaler notes that this group operates with “more stealthy and more sophisticated strategies” than other ransomware operations. The group conducts highly targeted ransomware attacks against a limited number of targets to attract minimal attention.

[Read also: The ultimate guide to ransomware defense]

About the Dark Angels ransomware group

This group is believed to operate from Russian-speaking regions and will target victims in the U.S., Europe, South America, and Asia.

The earlier Dark Angels ransomware attacks would deploy ransomware to target Windows systems and were based on the leaked Babuk source code. The group did not begin publicly releasing stolen data until early 2023.

The group moved on to using a variant of RTM Locker to launch ransomware attacks on Windows systems and a variant of Ragnar Locker to encrypt files on Linux/ESXi systems.

How Dark Angels operates

The ransomware group uses strategies like phishing and vulnerability exploitation for initial access.

Unlike many other ransomware actors, Dark Angels will not outsource their attacks to affiliates or use initial access brokers, allowing them to carry out only a few targeted attacks.

Their attacks typically result in high ransom payments and exfiltration of anywhere from 1 to 100TB of data – like the cyberattack against Johnson Controls last year in which the group stole 27TB of data.

[Listen to the Tanium Let’s Converge podcast: To pay or not to pay (and other ransomware decisions to make) with top ransomware negotiator Kurtis Minder]

File encryption

As noted, the group initially targeted Windows systems with a build of Babuk before using a variant of RTM Locker. The ransomware uses elliptic curve cryptography (ECC). Instead of appending a short extension to encrypted files, it will append the Curve25519 encoded public key.

The group uses a variant of Ragnar Locker for Linux/ESXi systems. This ransomware uses a combination of asymmetric ECC and symmetric 256-bit AES for encryption. Encryption parameters are placed as a footer in each encrypted file, along with a ransom note created for each file.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The Dark Angels ransomware group differs from most other groups in several ways, though the most interesting is its lack of adoption of a ransomware-as-a-service (RaaS)/affiliate model.

The group is sticking to traditional methods of executing its attacks without outsourcing, enabling it to continue its highly targeted attacks. Dark Angels received a record-breaking ransom payment of $75 million earlier this year.

Echoing Zscsaler’s thoughts, the fact that they received a record-breaking ransom payout while rarely making headlines is incredibly concerning and speaks to their commitment to remaining incredibly stealthy.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.