March 5, 2024 at 05:46AM
TA577 threat actor employs ZIP archive attachments in phishing emails to obtain NTLM hashes, facilitating sensitive info gathering and follow-on activities. Delivery of the phishing waves on Feb 26 and 27, 2024, targeted hundreds of global organizations through thread hijacking technique. The actor aims to capture NTLMv2 Challenge/Response pairs for unauthorized access to valuable data.
From the meeting notes, it is clear that there is a significant security threat posed by the threat actor known as TA577. TA577 has been observed using ZIP archive attachments in phishing emails with the goal of stealing NT LAN Manager (NTLM) hashes. These phishing attacks have been part of at least two campaigns targeting hundreds of organizations across the world. The attackers used techniques such as thread hijacking to increase the likelihood of success.
The ZIP attachments come with an HTML file designed to contact an actor-controlled Server Message Block (SMB) server. The objective of TA577 is to capture NTLMv2 Challenge/Response pairs from the SMB server. With these hashes, the attackers could perform pass-the-hash (PtH) type attacks, enabling them to move through a network and gain unauthorized access to valuable data.
TA577, also known as Water Curupira, is described as one of the most sophisticated cybercrime groups, showing a high degree of awareness of the shifts in the cyber threat landscape. The group rapidly adopts and distributes new tactics, techniques, and procedures (TTPs) to bypass detection and drop a variety of payloads.
Organizations are recommended to block outbound SMB to prevent exploitation. This information is critical for understanding the security threat posed by TA577 and taking necessary precautions to protect valuable data and systems.