NEW: Group Profiler — instant APT intel lookup. Try it →

← threatfilter.dev / all groups / Storm-1811

Storm-1811

G1046 MITRE ATT&CK →

Overview

Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.

Capabilities

Custom malware/implant development — ATT&CK: 3 attributed custom malware families

TTPs — 31 techniques across 12 tactics

Resource Development

T1583.001 Domains
T1585.003 Cloud Accounts
T1588.002 Tool

Initial Access

Execution

T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File

Persistence

T1547.001 Registry Run Keys / Startup Folder

Stealth

T1027.013 Encrypted/Encoded File
T1036 Masquerading
T1036.005 Match Legitimate Resource Name or Location
T1036.010 Masquerade Account Name
T1140 Deobfuscate/Decode Files or Information
T1574.001 DLL
T1684.001 Impersonation

Defense Impairment

T1222.001 Windows Permissions

Discovery

Lateral Movement

T1021.002 SMB/Windows Admin Shares
T1021.004 SSH
T1570 Lateral Tool Transfer

Collection

T1056 Input Capture
T1074.001 Local Data Staging

Command and Control

T1105 Ingress Tool Transfer
T1219.002 Remote Desktop Software

Exfiltration

T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Impact

T1486 Data Encrypted for Impact
T1667 Email Bombing

Tools & malware (7)

Black Basta · Cobalt Strike · Quick Assist · BITSAdmin · PsExec · Impacket · QakBot

Reporting (3)

Storm-1811 exploits RMM tools to drop Black Basta ransomware — Red Canary Intelligence
Intelligence Insights: June 2024 — The Red Canary Team
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware — Microsoft Threat Intelligence