Sangria Tempest

Threat Actor updated 23 days ago (2024-11-29T14:05:54.483Z)
Download STIX
Preview STIX
Sangria Tempest, also known as Carbon Spider, Elbrus, and FIN7, is a threat actor that has been active since 2013. In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113's EugenLoader delivered through malicious MSIX package installations. The group frequently targets the restaurant industry to steal payment card data and has successfully stolen tens of millions of payment card data. Sangria Tempest deploys Carbanak, a backdoor used by the actor since 2014, which then delivers the Gracewire malware implant. The group has also been seen using Google ads to lure users into downloading malicious MSIX application packages, leading to the delivery of POWERTRASH, a highly obfuscated PowerShell script. Since mid-November 2023, Microsoft Threat Intelligence has observed several threat actors, including Sangria Tempest, Storm-0569, Storm-1113, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. This scheme serves as a point of entry for human-operated ransomware activity. Each of these groups employs unique tactics for infiltration and subsequent ransomware activities. For instance, another group tracked as Sangria Tempest (also known as FIN7) used EugenLoader in November to drop its infamous Carbanak malware framework which subsequently deployed the Gracewire implant. In late 2023, FIN7, a Russian advanced persistent threat (APT) group, conducted a spear-phishing campaign that was spotted and ultimately halted by BlackBerry's threat and research team. The group targeted employees with high levels of administrative rights. BlackBerry detected the campaign early on, locating an infected system and isolating it before hackers had a chance to penetrate deeper into the network through lateral movement. Since November 2023, the company has monitored the activity of multiple cybercriminal groups, including Sangria Tempest, and broke down how these groups have operated.
Description last updated: 2024-10-03T22:15:55.805Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
FIN7 is a possible alias for Sangria Tempest. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global
5
Carbanak is a possible alias for Sangria Tempest. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Microsoft
Lateral Move...
Phishing
Backdoor
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Clop Malware is associated with Sangria Tempest. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
3
The Lizar Malware is associated with Sangria Tempest. Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operatiUnspecified
2
The Jssloader Malware is associated with Sangria Tempest. JssLoader is a malware often used by the ransomware gang FIN7, also known as Sangria Tempest, Elbrus, Carbon Spider, and others. This malicious software is typically delivered through deceptive tactics such as email lures, including invoice- and payment-themed decoy messages that trick users into doUnspecified
2
The Gracewire Malware is associated with Sangria Tempest. Gracewire is a potent malware that has been deployed by threat actors to exploit and damage computer systems. It is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, Unspecified
2
The Darkgate Malware is associated with Sangria Tempest. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
2
The REvil Malware is associated with Sangria Tempest. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
2
The Maze Malware is associated with Sangria Tempest. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the releaseUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Blackmatter Threat Actor is associated with Sangria Tempest. BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. HoweveUnspecified
2
The DarkSide Threat Actor is associated with Sangria Tempest. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply acrossUnspecified
2
Source Document References
Information about the Sangria Tempest Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
3 months ago
CERT-EU
a year ago
BankInfoSecurity
8 months ago
DARKReading
8 months ago
DARKReading
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Checkpoint
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago