One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8440209 |
| Date de publication | 2024-01-18 05:00:52 (vue: 2024-01-18 10:08:50) |
| Titre | Mémoire de sécurité: TA866 revient avec une grande campagne de messagerie Security Brief: TA866 Returns with a Large Email Campaign |
| Texte | What happened Proofpoint researchers identified the return of TA866 to email threat campaign data, after a nine-month absence. On January 11, 2024, Proofpoint blocked a large volume campaign consisting of several thousand emails targeting North America. Invoice-themed emails had attached PDFs with names such as “Document_[10 digits].pdf” and various subjects such as “Project achievements”. The PDFs contained OneDrive URLs that, if clicked, initiated a multi-step infection chain eventually leading to the malware payload, a variant of the WasabiSeed and Screenshotter custom toolset. Screenshot of an email with an attached PDF. If the user clicked on the OneDrive URL inside the PDF, they were: Served a JavaScript file hosted on OneDrive. The JavaScript, if run by the user, downloaded and ran an MSI file. The MSI file executed an embedded WasabiSeed VBS script. The WasabiSeed VBS script then downloaded and executed a second MSI file as well as continued polling for additional payloads in a loop. The additional payloads are currently unknown. Finally, the second MSI file contained components of the Screenshotter screenshot utility which took a screenshot of the desktop and sent it the C2. Attack chain summary: Email > PDF > OneDrive URL > JavaScript > MSI / VBS (WasabiSeed) > MSI (Screenshotter). The attack chain was similar to the last documented email campaign using this custom toolset observed by Proofpoint on March 20, 2023. The similarities helped with attribution. Specifically, TA571 spam service was similarly used, the WasabiSeed downloader remained almost the same, and the Screenshotter scripts and components remained almost the same. (Analyst Note: While Proofpoint did not initially associate the delivery TTPs with TA571 in our first publication on TA866, subsequent analysis attributed the malspam delivery of the 2023 campaigns to TA571, and subsequent post-exploitation activity to TA866.) One of the biggest changes in this campaign from the last observed activity was the use of a PDF attachment containing a OneDrive link, which was completely new. Previous campaigns used macro-enabled Publisher attachments or 404 TDS URLs directly in the email body. Screenshot of “TermServ.vbs” WasabiSeed script whose purpose is to execute an infinite loop, reaching out to C2 server and attempting to download and run an MSI file (empty lines were removed from this script for readability). Screenshot of “app.js”, one of the components of Screenshotter. This file runs “snap.exe”, a copy of legitimate IrfanView executable, (also included inside the MSI) to save a desktop screenshot as “gs.jpg”. Screenshot of “index.js”, another Screenshotter component. This code is responsible for uploading the desktop screenshot ”gs.jpg” to the C2 server. Attribution There are two threat actors involved in the observed campaign. Proofpoint tracks the distribution service used to deliver the malicious PDF as belonging to a threat actor known as TA571. TA571 is a spam distributor, and this actor sends high volume spam email campaigns to deliver and install a variety malware for their cybercriminal customers. Proofpoint tracks the post-exploitation tools, specifically the JavaScript, MSI with WasabiSeed components, and MSI with Screenshotter components as belonging to TA866. TA866 is a threat actor previously documented by Proofpoint and colleagues in [1][2] and [3]. TA866 is known to engage in both crimeware and cyberespionage activity. This specific campaign appears financially motivated. Proofpoint assesses that TA866 is an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools, and ability and connections to purchase tools and services from other actors. Why it matters The following are notable characteristics of TA866\'s return to email threat data: TA866 email campaigns have been missing from the landscape for over nine months (although there are indications that the actor was meanwhile |
| Envoyé | Oui |
| Condensat | //193 //37 //onedrive 133 179/ 179:80/screenshot/ 198//md 19938b8918b09852ee8d27a7cc2991ba2eb110f27ce25e70fffde932a74e6a6d 2023 2024 2043239 21118&authkey= 212 233 2852922 404 6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc 8277dff37fb068c3590390ca1aa6b96fd8b4f93757d5070f68ee8894e37713b1 8b35b21b52780d39ea7832cb918533be7de5b6682cbeffe37797ba92a92aa368 ability able absence acd7ldpnnezubtc&a= achievements” activity actor actors additional aec5bf19e72ed577b0a02cffeb4f5cc713ab4478267ce348cf337b508f2fcade after ahk almost also although ambuscade america analysis analyst another appears are assesses associate attached attachment attachments attack attacks attempted attempting attributed attribution attribution availability backdoor based bdb0b6f52b51d989c489c3605a1534c9603ffb7a373654f62fd6f3e3599341fb been belonging biggest blocked body bot both breaks brief: c2 c9329007524b3da130c8635a226c8cbe3a4e803b813f5b2237ed976feb9d2c8d campaign campaigns chain changes characteristics clicked code colleagues com/2023/06/08/asylum com/download com/us/blog/threat comes completely component components component compromised compromise connections consisting contained containing continued copy crimeware currently custom customers cybercriminal cyberespionage cyberespionage/ data data: deliver delivered delivery description desktop did digits directly distribution distributor document documented download downloaded downloader downloading drive email emails emails embedded emerging empty enabled end engage etpro eventually evolution example executable execute executed exe” exploitation feels file finally financially first follow following from get had happened has have helped high holiday hosted https://www hxxp hxxps identified included increasing indications indicators indicator infection infinite initially initiated inside insight/asylum insight/screentime install invoice involved irfanview january javascript jpg” js” known landscape large last leading legitimate letters like lines link live loop macro malicious malspam malware march matters meanwhile methods me military missing month months more motivated msi msi msi multi names new nine north not notable note: number observed observing one onedrive organized other out over overall payload payloads pdf pdfs pdf pdf” perform polling post previous previously private proofpoint publication publisher purchase purpose ran random reaching readability references remained removed request researchers resid=720fbfd017217e31 responsible return returns rhadamanthys run runs same satisfied save scale screenshot screenshots screenshotter script scripts second security sending sends sent serial served server service services several sha256 signatures similar similarities similarly somebodys sometimes spam specific specifically state stealer step subjects subsequent such summary: ta571 ta866 taken targeting tds termserv themed then thought thousand threat threats thus time took tools toolset tracks traditional ttps two ukrainian unknown uploading url urls urls use used user uses using utility variant variety various vbs vbs” volume wasabiseed wasabiseed watching welivesecurity well were: what when which whose why would year hxxp “app “document “gs “index “project “snap “termserv ”gs |
| Tags | Spam Malware Tool Threat |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.