Sangria Tempest

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Sangria Tempest, also known as FIN7, Carbon Spider, and ELBRUS, is a threat actor that has been active since 2014. This Russian advanced persistent threat (APT) group is known for its malicious activities, including spear-phishing campaigns, malware distribution, and theft of payment card data. In mid-November 2023, Microsoft observed Sangria Tempest utilizing Storm-1113’s EugenLoader delivered through malicious MSIX package installations. The actor frequently targets the restaurant industry, successfully stealing tens of millions of payment card data. They also deploy Carbanak, a backdoor used by the actor to deliver the Gracewire malware implant. Microsoft Threat Intelligence noted several actors—including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674—using App Installer as a point of entry for human-operated ransomware activity. Since mid-November 2023, these actors have been exploiting the ms-appinstaller URI scheme to distribute malware. Sangria Tempest was found to use Google ads to lure users into downloading malicious MSIX application packages, possibly relying on Storm-1113 infrastructure, leading to the delivery of POWERTRASH, a highly obfuscated PowerShell script. Another group tracked as Sangria Tempest used EugenLoader in November to drop its infamous Carbanak malware framework which then deployed the Gracewire implant. FIN7's activities were spotted and halted by BlackBerry's threat and research team in late 2023. The group targeted employees with high levels of administrative rights, but the cyber defenders detected the campaign early on, locating an infected system and isolating it before hackers had a chance to penetrate deeper into the network through lateral movement. Despite these measures, threat operations including Sangria Tempest exploited Microsoft's "ms-appinstaller protocol" for expediting Windows app installation to facilitate malware distribution, prompting the deactivation of the protocol.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
FIN7
5
FIN7, a known threat actor in the cybersecurity world, has been recognized for its malicious activities against various entities. This group, which could be an individual, a private company, or part of a government body, is notorious for executing actions with harmful intent. One notable instance of
Carbanak
2
Carbanak is a notorious malware, short for malicious software, known for its destructive capabilities. This harmful program infiltrates systems via suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or even hold data hostage for ransom. The initial payl
Carbon Spider
1
CARBON SPIDER, also known as FIN7 and Sangria Tempest, is a threat actor that has been active in the eCrime space since approximately 2013. This criminally motivated group primarily targets the hospitality and retail sectors with the aim of obtaining payment card data. The group has been linked to s
Elbrus
1
None
Ta543
1
TA543, also known as Storm-0324 and Sagrid, is a financially-motivated threat actor notorious for its malicious activities. The group has been observed exploiting the Microsoft Teams messaging app to conduct sophisticated phishing operations, which involves sending other attackers' payloads using ph
Maze Ransomware
1
Maze ransomware is a type of malware that emerged in 2019, employing a double extortion tactic to wreak havoc on its victims. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for
Lace Tempest
1
Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Microsoft
Exploit
Backdoor
Lateral Move...
Phishing
Windows
Payload
RaaS
Cybercrime
Ransom
Malvertising
Papercut
Malware
Blackberry
Rat
Extortion
Malware Impl...
Loader
Spyware
Apt
Implant
Infiltration
Openssh
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ClopUnspecified
3
Clop is a notorious malware, short for malicious software, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Clop can steal personal information, disrupt operations, or h
JssloaderUnspecified
2
JssLoader is a malware often used by the ransomware gang FIN7, also known as Sangria Tempest, Elbrus, Carbon Spider, and others. This malicious software is typically delivered through deceptive tactics such as email lures, including invoice- and payment-themed decoy messages that trick users into do
LizarUnspecified
2
Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operati
GracewireUnspecified
2
Gracewire is a potent malware that has been deployed by threat actors to exploit and damage computer systems. It is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations,
REvilUnspecified
2
REvil, also known as Sodinokibi, is a type of malware that gained notoriety through its use in ransomware attacks. As the Ransomware as a Service (RaaS) model grew in popularity during 2020, relationships between first-stage malware and subsequent ransomware attacks were established. One such connec
MazeUnspecified
2
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
DarkgateUnspecified
2
DarkGate is a malicious software (malware) known for its harmful impact on computer systems and devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data host
NetsupportUnspecified
1
NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or
EugenloaderUnspecified
1
EugenLoader, also known as FakeBat, is a form of malware that was detected by Microsoft in mid-November 2023. It was distributed by an initial access broker known as Storm-1113 through search advertisements mimicking the Zoom app, with the malware delivered via bogus MSIX installers masquerading as
Netsupport RatUnspecified
1
NetSupport RAT is a type of malware that can significantly compromise an organization's digital security. Originally derived from the legitimate NetSupport Manager, a remote technical support tool, this malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to t
BatloaderUnspecified
1
Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DarkSideUnspecified
2
DarkSide is a notorious threat actor known for its malicious activities involving ransomware attacks. The group gained significant notoriety in 2021 when it attacked the largest oil pipeline in the United States, leading to a temporary halt of all operations for three days. This incident, along with
BlackmatterUnspecified
2
BlackMatter is a threat actor that emerged as a rebrand of the infamous DarkSide ransomware group, known for its attack on Colonial Pipeline in May 2021. In November 2021, BlackMatter announced it was shutting down due to targeted actions by law enforcement. Despite this announcement, the group didn
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Fin7/sangria TempestUnspecified
1
None
Source Document References
Information about the Sangria Tempest Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
3 months ago
FIN7 Targeted US Automotive Giant In Failed Attack
DARKReading
3 months ago
Russian APT Group Thwarted in Attack on US Automotive Manufacturer
DARKReading
4 months ago
The Rise of Social Engineering Fraud in Business Email Compromise
CERT-EU
6 months ago
MSIX App Installer Disabled Amid Microsoft Malware Attacks
CERT-EU
6 months ago
Microsoft disables online Windows App Installer after attackers abuse it | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
6 months ago
Microsoft disables online Windows App Installer after attackers abuse it | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
6 months ago
Israeli orgs subjected to suspected Iranian hacking attacks
Checkpoint
6 months ago
1st January – Threat Intelligence Report - Check Point Research
CERT-EU
6 months ago
Microsoft Disables App Installer After Feature is Abused for Malware
CERT-EU
6 months ago
Financially motivated threat actors misusing App Installer | Microsoft Security Blog
CERT-EU
6 months ago
Activity of Rugmi malware loader spikes
CERT-EU
6 months ago
Malware attacks exploiting app installation protocol prompt deactivation
BankInfoSecurity
6 months ago
Microsoft Disables Abused Application Installation Protocol
CERT-EU
6 months ago
Microsoft disables app installation protocol abused by hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Microsoft: Microsoft details how financially motivated hackers targeted Windows users | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Financially motivated threat actors misusing App Installer - Cyber Security Review
CERT-EU
6 months ago
Cyber Security Week In Review: December 29, 2023
CERT-EU
7 months ago
Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
7 months ago
Microsoft disables MSIX protocol handler abused in malware attacks
CERT-EU
9 months ago
Storm-0324 Abusing Microsoft Teams To Gain Initial Access And Deploy Ransomware