Sangria Tempest

Threat Actor updated 4 months ago (2024-05-04T17:19:19.971Z)
Download STIX
Preview STIX
Sangria Tempest, also known as FIN7, Carbon Spider, and ELBRUS, is a threat actor that has been active since 2014. This Russian advanced persistent threat (APT) group is known for its malicious activities, including spear-phishing campaigns, malware distribution, and theft of payment card data. In mid-November 2023, Microsoft observed Sangria Tempest utilizing Storm-1113’s EugenLoader delivered through malicious MSIX package installations. The actor frequently targets the restaurant industry, successfully stealing tens of millions of payment card data. They also deploy Carbanak, a backdoor used by the actor to deliver the Gracewire malware implant. Microsoft Threat Intelligence noted several actors—including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674—using App Installer as a point of entry for human-operated ransomware activity. Since mid-November 2023, these actors have been exploiting the ms-appinstaller URI scheme to distribute malware. Sangria Tempest was found to use Google ads to lure users into downloading malicious MSIX application packages, possibly relying on Storm-1113 infrastructure, leading to the delivery of POWERTRASH, a highly obfuscated PowerShell script. Another group tracked as Sangria Tempest used EugenLoader in November to drop its infamous Carbanak malware framework which then deployed the Gracewire implant. FIN7's activities were spotted and halted by BlackBerry's threat and research team in late 2023. The group targeted employees with high levels of administrative rights, but the cyber defenders detected the campaign early on, locating an infected system and isolating it before hackers had a chance to penetrate deeper into the network through lateral movement. Despite these measures, threat operations including Sangria Tempest exploited Microsoft's "ms-appinstaller protocol" for expediting Windows app installation to facilitate malware distribution, prompting the deactivation of the protocol.
Description last updated: 2024-05-04T17:08:58.014Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
FIN7
5
FIN7, a prominent threat actor in the cybercrime landscape, has been noted for its malicious activities and innovative tactics. Known for their relentless attacks on large corporations, FIN7 recently targeted a significant U.S. carmaker with phishing attacks, demonstrating their continued evolution
Carbanak
2
Carbanak is a sophisticated malware known for its involvement in various cyberattacks since it was first identified. This malicious software, created by the Russian criminal group FIN7 (also known as Carbanak, Carbon Spider, Cobalt Group, Navigator Group), has been active since mid-2015. The group p
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Microsoft
Lateral Move...
Phishing
Backdoor
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
ClopUnspecified
3
Clop, also known as Cl0p, is a notorious ransomware group responsible for several high-profile cyberattacks. The group specializes in exploiting vulnerabilities in software and systems to gain unauthorized access, exfiltrate sensitive data, and then extort victims by threatening to release the stole
LizarUnspecified
2
Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operati
JssloaderUnspecified
2
JssLoader is a malware often used by the ransomware gang FIN7, also known as Sangria Tempest, Elbrus, Carbon Spider, and others. This malicious software is typically delivered through deceptive tactics such as email lures, including invoice- and payment-themed decoy messages that trick users into do
GracewireUnspecified
2
Gracewire is a potent malware that has been deployed by threat actors to exploit and damage computer systems. It is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations,
DarkgateUnspecified
2
DarkGate is a malicious software (malware) designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once embedded in a system, DarkGate can steal personal information, disrupt operations, or hold data for ransom. Recently, the malware was
REvilUnspecified
2
REvil is a type of malware, specifically ransomware, that has been linked to significant cyber attacks. It emerged as part of the Ransomware as a Service (RaaS) model that gained popularity in 2020. This model established relationships between first-stage malware and subsequent ransomware attacks, s
MazeUnspecified
2
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
BlackmatterUnspecified
2
BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention
DarkSideUnspecified
2
DarkSide is a threat actor known for its malicious activities, particularly in the realm of ransomware. This group was notably responsible for the major attack on the U.S. energy sector that targeted Colonial Pipeline Co. on May 7, 2021, using a ransomware-as-a-service operation. The DarkSide ransom
Source Document References
Information about the Sangria Tempest Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
8 months ago
Microsoft Disables App Installer Feature Amid Security Concerns
BankInfoSecurity
5 months ago
FIN7 Targeted US Automotive Giant In Failed Attack
DARKReading
5 months ago
Russian APT Group Thwarted in Attack on US Automotive Manufacturer
DARKReading
6 months ago
The Rise of Social Engineering Fraud in Business Email Compromise
CERT-EU
8 months ago
MSIX App Installer Disabled Amid Microsoft Malware Attacks
CERT-EU
8 months ago
Microsoft disables online Windows App Installer after attackers abuse it | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
8 months ago
Microsoft disables online Windows App Installer after attackers abuse it | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
8 months ago
Israeli orgs subjected to suspected Iranian hacking attacks
Checkpoint
8 months ago
1st January – Threat Intelligence Report - Check Point Research
CERT-EU
8 months ago
Microsoft Disables App Installer After Feature is Abused for Malware
CERT-EU
8 months ago
Financially motivated threat actors misusing App Installer | Microsoft Security Blog
CERT-EU
8 months ago
Activity of Rugmi malware loader spikes
CERT-EU
8 months ago
Malware attacks exploiting app installation protocol prompt deactivation
BankInfoSecurity
8 months ago
Microsoft Disables Abused Application Installation Protocol
CERT-EU
8 months ago
Microsoft disables app installation protocol abused by hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
8 months ago
Microsoft: Microsoft details how financially motivated hackers targeted Windows users | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
8 months ago
Financially motivated threat actors misusing App Installer - Cyber Security Review
CERT-EU
8 months ago
Cyber Security Week In Review: December 29, 2023
CERT-EU
8 months ago
Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
8 months ago
Microsoft disables MSIX protocol handler abused in malware attacks