Thanks to visit codestin.com
Credit goes to attack.mitre.org

  1. Home
  2. Groups
  3. Storm-1811

Storm-1811

Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.[1][2][3][4]

ID: G1046
Contributors: Liran Ravich, CardinalOps; Joe Gumke, U.S. Bank
Version: 1.0
Created: 14 March 2025
Last Modified: 14 March 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Storm-1811 has performed domain account enumeration during intrusions.[1]
Enterprise T1583 .001 Acquire Infrastructure: Domains

Storm-1811 has created domains for use with RMM tools.[2]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.[2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Storm-1811 has used PowerShell for multiple purposes, such as using PowerShell scripts executing in an infinite loop to create an SSH connection to a command and control server.[2]
.003 Command and Scripting Interpreter: Windows Command Shell

Storm-1811 has used multiple batch scripts during initial access and subsequent actions on victim machines.[1][2]
Enterprise T1486 Data Encrypted for Impact

Storm-1811 is a financially-motivated entity linked to the deployment of Black Basta ransomware in victim environments.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

Storm-1811 has locally staged captured credentials for subsequent manual exfiltration.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

Storm-1811 has distributed password-protected archives such as ZIP files during intrusions.[2]
Enterprise T1482 Domain Trust Discovery

Storm-1811 has enumerated domain accounts and access during intrusions.[1]
Enterprise T1667 Email Bombing

Storm-1811 has deployed large volumes of non-malicious email spam to victims in order to prompt follow-on interactions with the threat actor posing as IT support or helpdesk to resolve the problem.[2][3]
Enterprise T1585 .003 Establish Accounts: Cloud Accounts

Storm-1811 has created malicious accounts to enable activity via Microsoft Teams, typically spoofing various IT support and helpdesk themes.[1]
Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Storm-1811 has exfiltrated captured user credentials via Secure Copy Protocol (SCP).[2]
Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Storm-1811 has used cacls.exe via batch script to modify file and directory permissions in victim environments.[2]
Enterprise T1574 .001 Hijack Execution Flow: DLL

Storm-1811 has deployed a malicious DLL (7z.DLL) that is sideloaded by a modified, legitimate installer (7zG.exe) when that installer is executed with an additional command line parameter of b at runtime to load a Cobalt Strike beacon payload.[2]
Enterprise T1656 Impersonation

Storm-1811 impersonates help desk and IT support personnel for phishing and social engineering purposes during initial access to victim environments.[1]
Enterprise T1105 Ingress Tool Transfer

Storm-1811 has used scripted cURL commands, BITSAdmin, and other mechanisms to retrieve follow-on batch scripts and tools for execution on victim devices.[1][2][4]
Enterprise T1056 Input Capture

Storm-1811 has used a PowerShell script to capture user credentials after prompting a user to authenticate to run a malicious script masquerading as a legitimate update item.[2]
Enterprise T1570 Lateral Tool Transfer

Storm-1811 has used the Impacket toolset to move and remotely execute payloads to other hosts in victim networks.[2]
Enterprise T1036 Masquerading

Storm-1811 has prompted users to download and execute batch scripts that masquerade as legitimate update files during initial access and social engineering operations.[2]
.005 Match Legitimate Resource Name or Location

Storm-1811 has disguised Cobalt Strike installers as a malicious DLL masquerading as part of a legitimate 7zip installation package.[2]
.010 Masquerade Account Name

Storm-1811 has created Microsoft Teams accounts that spoof IT support and helpdesk members for use in application and voice phishing.[1]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Storm-1811 XOR encodes a Cobalt Strike installation payload in a DLL file that is decoded with a hardcoded key when called by a legitimate 7zip installation process.[2]
Enterprise T1588 .002 Obtain Capabilities: Tool

Storm-1811 acquired various legitimate and malicious tools, such as RMM software and commodity malware packages, for operations.[1][2]
Enterprise T1566 .002 Phishing: Spearphishing Link

Storm-1811 has distributed malicious links to victims that redirect to EvilProxy-based phishing sites to harvest credentials.[1]
.003 Phishing: Spearphishing via Service

Storm-1811 has used Microsoft Teams to send messages and initiate voice calls to victims posing as IT support personnel.[1]
.004 Phishing: Spearphishing Voice

Storm-1811 has initiated voice calls with victims posing as IT support to prompt users to download and execute scripts and other tools for initial access.[1][2][3]
Enterprise T1219 .002 Remote Access Tools: Remote Desktop Software

Storm-1811 has abused multiple types of legitimate remote access software and tools, such as ScreenConnect, NetSupport Manager, and AnyDesk.[1][2]
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Storm-1811 has attempted to move laterally in victim environments via SMB using Impacket.[2]
.004 Remote Services: SSH

Storm-1811 has used OpenSSH to establish an SSH tunnel to victims for persistent access.[1]
Enterprise T1033 System Owner/User Discovery

Storm-1811 has used whoami.exe to determine if the active user on a compromised system is an administrator.[2]
Enterprise T1204 .002 User Execution: Malicious File

Storm-1811 has prompted users to execute downloaded software and payloads as the result of social engineering activity.[1][2][3]

Software

ID Name References Techniques
S0190 BITSAdmin Storm-1811 has used BITSAdmin to download payloads.[1][4] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S1070 Black Basta Storm-1811 is associated with the deployment of Black Basta ransomware.[1][2] Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Data Encrypted for Impact, Debugger Evasion, Defacement: Internal Defacement, Execution Guardrails: Mutual Exclusion, File and Directory Discovery, File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification, Impair Defenses: Safe Mode Boot, Inhibit System Recovery, Masquerading: Match Legitimate Resource Name or Location, Masquerading: Masquerade Task or Service, Modify Registry, Native API, Obfuscated Files or Information: Binary Padding, Remote System Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Service Discovery, System Shutdown/Reboot, User Execution: Malicious File, Virtualization/Sandbox Evasion, Virtualization/Sandbox Evasion: System Checks, Windows Management Instrumentation
S0154 Cobalt Strike Storm-1811 operations include the use of Cobalt Strike.[1][2] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0357 Impacket Storm-1811 has used Impacket for lateral movement activity.[2] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Lateral Tool Transfer, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Ccache Files, System Services: Service Execution, Windows Management Instrumentation
S0029 PsExec Storm-1811 has used PsExec for remote process execution.[1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0650 QakBot Storm-1811 operations have included deployment of QakBot.[1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Brute Force, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Dynamic Resolution: Domain Generation Algorithms, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade File Type, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information: HTML Smuggling, Obfuscated Files or Information: Command Obfuscation, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Software Packing, Peripheral Device Discovery, Permission Groups Discovery: Local Groups, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: External Proxy, Remote System Discovery, Replication Through Removable Media, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, Software Discovery, Steal Web Session Cookie, Subvert Trust Controls: Code Signing, Subvert Trust Controls: Mark-of-the-Web Bypass, System Binary Proxy Execution: Regsvr32, System Binary Proxy Execution: Msiexec, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Time Discovery, User Execution: Malicious Link, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Virtualization/Sandbox Evasion: Time Based Evasion, Windows Management Instrumentation
S1209 Quick Assist Storm-1811 used Quick Assist as part of social engineering activity to interact with victims to install follow-on malicious software.[1] Application Layer Protocol: Web Protocols, Screen Capture, Video Capture

References

  1. Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
  2. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
  1. Red Canary Intelligence. (2024, December 2). Storm-1811 exploits RMM tools to drop Black Basta ransomware. Retrieved March 14, 2025.
  2. The Red Canary Team. (2024, June 20). Intelligence Insights: June 2024. Retrieved March 14, 2025.