Storm-1811 | APT Profile

Description

[Storm-1811](https://attack.mitre.org/groups/G1046) is a financially-motivated entity linked to [Black Basta](https://attack.mitre.org/software/S1070) ransomware deployment. [Storm-1811](https://attack.mitre.org/groups/G1046) is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)(Citation: RedCanary June Insights 2024)

Techniques Used (TTPs)

T1585.003 — Cloud Accounts (resource-development)
T1074.001 — Local Data Staging (collection)
T1667 — Email Bombing (impact)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1583.001 — Domains (resource-development)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1588.002 — Tool (resource-development)
T1219.002 — Remote Desktop Software (command-and-control)
T1059.001 — PowerShell (execution)
T1059.003 — Windows Command Shell (execution)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1656 — Impersonation (defense-evasion)
T1036.010 — Masquerade Account Name (defense-evasion)
T1056 — Input Capture (collection, credential-access)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1204.002 — Malicious File (execution)
T1566.004 — Spearphishing Voice (initial-access)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1105 — Ingress Tool Transfer (command-and-control)
T1570 — Lateral Tool Transfer (lateral-movement)
T1021.004 — SSH (lateral-movement)
T1486 — Data Encrypted for Impact (impact)
T1036 — Masquerading (defense-evasion)
T1482 — Domain Trust Discovery (discovery)
T1566.003 — Spearphishing via Service (initial-access)
T1566.002 — Spearphishing Link (initial-access)
T1087.002 — Domain Account (discovery)
T1033 — System Owner/User Discovery (discovery)
T1048.002 — Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (exfiltration)
T1222.001 — Windows File and Directory Permissions Modification (defense-evasion)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)

Total TTPs: 31

Malware & Tools

Malware: Black Basta, Cobalt Strike, QakBot

Tools: BITSAdmin, Impacket, PsExec, Quick Assist

← Return to Home ← Back to APT Search