Full Report
Microsoft has identified a Morocco-based cybercrime group, Storm-0539, known for sophisticated phishing attacks to steal and sell gift cards. Active since 2021, the group targets large retailers by compromising gift card services and bypassing multi-factor authentication. Thei...
Analysis Summary
# Threat Actor: Storm-0539 (Also associated with Campaign: Atlas Lion)
## Attribution & Identity
* **Identification:** Morocco-based cybercrime group.
* **Aliases:** Storm-0539.
* **Known Associations:** The activity is associated with the campaign named "Atlas Lion."
## Activity Summary
* **Activity Period:** Active since 2021.
* **Recent Trends:** Attacks increased by 30% between March and May 2024.
* **Core Activity:** Sophisticated phishing attacks aimed at stealing and selling gift cards.
## Tactics, Techniques & Procedures
* **Initial Access:** Phishing, Smishing (SMS phishing).
* **Credential Access/Evasion:** Bypassing multi-factor authentication (MFA).
* **Specific Techniques:**
* Adversary-in-the-middle (AiTM) phishing.
* Exploiting cloud infrastructure to gain unauthorized access.
* Credential theft.
* MFA enrollment manipulation.
## Targeting
* **Sectors:** Large retailers (specifically targeting their gift card services).
* **Geography:** Originating from Morocco (implied by attribution).
* **Victims:** Large retailers whose gift card services are compromised.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly named in the provided context.
* **Infrastructure:** Not explicitly detailed (e.g., C2 domains/IPs are not provided).
## Implications
The group poses a significant threat to retail sectors globally, focusing on financial gain via gift card fraud. Their use of AiTM phishing and active efforts to bypass MFA indicate a high level of technical sophistication, allowing them to maintain persistent unauthorized access.
## Mitigations
* Implement robust MFA solutions that are resistant to AiTM phishing (e.g., FIDO2/hardware tokens).
* Educate end-users about sophisticated phishing and smishing lures.
* Monitor for unauthorized access attempts targeting cloud infrastructure associated with payment/gift card services.