January 19, 2024 at 10:03PM
TA866, a threat actor, has returned after a hiatus, launching a large phishing campaign to distribute malware such as WasabiSeed and Screenshotter. The campaign targeted North America with PDFs containing OneDrive URLs that initiate a multi-step infection chain. Other actors, such as TA571, are involved in spam email campaigns to distribute various types of malware.
Summary of Meeting Notes:
– TA866, a threat actor, has returned after a nine-month hiatus with a new large-volume phishing campaign to deliver known malware families such as WasabiSeed and Screenshotter.
– The campaign involves sending thousands of invoice-themed emails bearing decoy PDF files containing OneDrive URLs that lead to a malware payload.
– TA866 may be financially motivated, using Screenshotter as a recon tool to identify high-value targets and deploy an AutoHotKey-based bot to drop the Rhadamanthys information stealer.
– There are overlaps between the activities of TA866 and Asylum Ambuscade, a crimeware group engaged in cyber espionage operations as revealed by Slovak cybersecurity firm ESET.
– The attack chain has evolved with the campaign now relying on a spam service provided by TA571 to distribute booby-trapped PDFs.
– TA571 is known for sending high-volume spam email campaigns delivering various malware including AsyncRAT, NetSupport RAT, IcedID, PikaBot, QakBot, and DarkGate.
– DarkGate, a malware sold as Malware-as-a-Service, has been observed being updated to evade detection by security researchers.
– TA866’s resurgence is observed alongside shipping-related phishing emails targeting the manufacturing sector to propagate malware like Agent Tesla and Formbook, particularly during holiday seasons.
– Attackers are using a new evasion tactic to bypass security products by leveraging the caching mechanism and altering benign URLs to deliver a malicious payload.
– These attacks have disproportionately targeted financial services, manufacturing, retail, and insurance verticals in Italy, the U.S., France, Australia, and India.
For further details, you can follow us on Twitter and LinkedIn for exclusive content.