The menacing hacker group known as TA866 resurfaced after a nine-month hiatus with a new high-volume phishing campaign to spread malware families known as WasabiSeed and Screenshotter.
How TA866's phishing campaign works
The campaign, observed earlier this month and blocked by Proofpoint on January 11, 2024, involved sending thousands of emails containing invoices targeting North America, containing deceptive PDF files.
“There were OneDrive URLs in the PDFs that, when clicked, began a multi-step infection chain that ultimately led to the malware payload, a variant of the custom WasabiSeed and Screenshotter toolset“, has declared enterprise security firm Proofpoint regarding the TA866 attack.
TA866 was first documented by the company in February 2023, attributing it to a campaign called Screentime that distributed WasabiSeed, a Visual Basic script dropper used to download Screenshotter, capable of taking screenshots of the victim's desktop at regular intervals and sending that data to a domain controlled by those behind TA866.
There is evidence to suggest that the organized attack may be financially motivated, as Screenshotter serves as a reconnaissance tool to identify high-value targets for post-exploration and to release a bot based on AutoHotKey (AHK) to finally download the information stealer Rhadamanthys.
Subsequent findings by Slovakian cybersecurity firm ESET in June 2023 revealed overlaps between Screentime and another set of intrusions called Asylum Ambuscade, a group of crimeware active since at least 2020 which also deals with cyber espionage operations.
The most recent set of attacks remains virtually unchanged, except for the switch from macro-enabled Publisher attachments to PDFs containing a rogue OneDrive link, with the campaign relying on a spam service provided by TA571 to distribute the trap PDFs.
“TA571 is a spam distributor and this attacker sends high volume email spam campaigns to deliver and install various malware for their cybercriminal clients“said Proofpoint researcher Axel F.
That is includes AsyncRAT, NetSupport RAT, IcedID, PikaBot, QakBot (also known as Qbot) and DarkGate, the latter allows attackers to perform various operations such as information theft, cryptocurrency mining, and execution of arbitrary programs.
Splunk, which has detected multiple campaigns that deploy a loader designed to launch DarkGate on compromised endpoints, stated that the malicious PDF files act as a vector for an MSI installer that runs a cabinet archive (CAB) to trigger DarkGate execution via an AutoIT script loader.
“DarkGate first appeared in 2017 and is only sold to a small number of attack groups in the form of Malware-as-a-Service via underground forums“, has said South Korean cybersecurity firm S2W in a malware analysis this week, adding: “DarkGate continues to update itself by adding features and fixing bugs based on analysis findings from security researchers and vendors“, highlighting adversaries' continued efforts to implement anti-analysis techniques to evade detection.
The news of TA866's resumption comes as Cofense revealed phishing emails linked to the shipment they mainly target the manufacturing sector to propagate malware such as Agent Tesla And Formbook.
“Shipping-themed emails increase during the holidays, although only slightly“, has declared Cofense security researcher Nathaniel Raymond. “Largely, yearly trends suggest that these emails follow a particular trend throughout the year with varying amounts of volume, with the most significant volumes in June, October and November.”
The development also follows the discovery of a new evasion tactic that leverages security products' caching mechanism to evade them by embedding a Call To Action (CTA) URL pointing to a trusted website in the phishing message sent to the targeted individual.
“Their strategy involves storing a seemingly benign version of the attack vector and subsequently modify it to deliver a malicious payload“, has declared Trellix, saying such attacks disproportionately affected the financial services, manufacturing, retail and insurance sectors in Italy, the United States, France, Australia and India.
When such a URL is analyzed by the security engine, it is marked as safe and the verdict is stored in its cache for a set period of time; this also means that if the URL is encountered again during that period, the URL is not re-examined and instead the stored result is served; Trellix therefore pointed out that attackers take advantage of this peculiarity by waiting for security providers to process the CTA URL and store their verdict, and then modify the link to redirect it to the intended phishing page.
“With the benign verdict, the email arrives easily in the victim's inbox“said security researchers Sushant Kumar Arya, Daksh K
apur and Rohan Shah. “Now, if the unknowing recipient decides to open the email and click on the link/button within the CTA URL, they will be redirected to the malicious page.”
#TA866 #hacker #group #generates #phishing #fake #invoices
