Introduction:
In the realm of cybersecurity, new threats constantly emerge, requiring organizations to stay vigilant and adapt their defense strategies. One such threat actor, known as TA866, has recently caught the attention of Proofpoint researchers. Over the course of several months, from October 2022 to January 2023, their activities have been closely monitored and analyzed. In this blog post, we delve into the key findings and campaign details surrounding TA866’s activities, shedding light on their tactics, motivations, and the potential impact on small and medium-sized businesses (SMBs).
Key Findings:
- Unveiling a New Threat Actor: Proofpoint’s dedicated team of researchers began tracking a previously unknown threat actor, designated as TA866. The discovery of TA866 occurred in October 2022, and their activities have continued into 2023. This threat actor exhibits a notable level of organization and sophistication, suggesting their capability to execute well-planned attacks on a large scale.
- Financial Motivations and Targeting: TA866’s activities are primarily motivated by financial gains. They strategically target organizations in the United States and Germany, aiming to access valuable information and credentials that can be monetized. SMBs, in particular, become attractive targets due to their perceived vulnerabilities and potentially valuable data.
- Customized Toolset: WasabiSeed and Screenshotter: TA866 employs a bespoke arsenal of tools to facilitate their malicious activities. Among these tools are WasabiSeed and Screenshotter, which play a crucial role in their attack chain. WasabiSeed enables the threat actor to analyze victim behavior through screenshots, providing valuable insights before deploying their primary tools, such as bots and stealers.
Campaign Details: TA866’s campaigns are characterized by a combination of sophisticated techniques and varied targeting. The initial threats are typically delivered through email, utilizing tactics such as attachments with macros (e.g., Publisher files) or URLs leading to malicious JavaScript files or PDFs. While the primary focus is on organizations in the United States, sporadic targeting of recipients in other countries, such as Germany, has also been observed.
The scale and frequency of TA866’s campaigns have evolved over time. Initially, the campaigns involved a limited number of emails and targeted specific companies. However, as the threat actor adapted their tactics to incorporate URLs, the scale of their operations expanded significantly. Campaigns now consist of thousands, or even tens of thousands, of emails and occur multiple times per week. Although the frequency of campaigns reduced in January 2023, the volume of emails continued to increase.
A Deep Dive into a Campaign: An in-depth analysis of a specific campaign conducted by TA866 on January 23-24, 2023, sheds light on their attack chain. Tens of thousands of email messages were sent, targeting over a thousand organizations in the United States and Germany. The emails employed various lures, including thread hijacking and a “check my presentation” pretext, with embedded malicious URLs initiating a multi-step attack.
Technical Analysis:
Upon clicking the malicious URL, the victim becomes entangled in the attack chain orchestrated by TA866. The URL leads to a Traffic Distribution System (TDS) that filters and redirects traffic to download a JavaScript file. When executed, this file downloads and runs an MSI package known as WasabiSeed. WasabiSeed, in turn, establishes persistence on the victim’s system, running an embedded VBS script and initiating the next stage of the attack.
The next component deployed by WasabiSeed is Screenshotter, which captures screenshots of the victim’s desktop and transmits them to a command and control (C2) server. The threat actor behind TA866 manually reviews these screenshots during their working hours, using them to make informed decisions on further actions. Additional payloads, such as the AHK Bot and Rhadamanthys Stealer, may be deployed based on the threat actor’s assessment.
Unraveling the Infrastructure: TA866 employs a complex infrastructure to execute their campaigns. The URLs utilized in their attacks lead to a Traffic Distribution System (TDS), which filters and redirects traffic based on specific criteria, such as geography and browser information. The TDS used by TA866 has been actively tracked since at least September 2022, although its origin and availability remain uncertain.
TA866’s campaigns involve the registration and utilization of numerous domains, typically on the day of the campaign. These domains, previously registered, expired, and subsequently sold to the TDS operator, are part of the infrastructure facilitating their malicious activities.
Assessment and Attribution:
Proofpoint assesses with moderate confidence that the campaigns attributed to TA866 were carried out by this specific threat actor. The observed similarities in tactics, techniques, and procedures (TTPs) provide compelling evidence of a distinct actor. However, the possibility of multiple actors utilizing similar tools cannot be entirely ruled out, and attribution investigations are ongoing.
Implications for SMBs: The activities of TA866 pose significant risks to SMBs. Their financial motivations, combined with their targeting of organizations lacking extensive cybersecurity resources, make them a formidable adversary. SMBs must recognize the evolving threat landscape and prioritize robust security measures to safeguard their sensitive data and protect against potential compromises.
Conclusion:
TA866 represents a notable addition to the ever-evolving threat landscape. Their activities, marked by financial motivations and a customized toolset, present a clear and present danger to SMBs. By closely examining their tactics, researchers have gained valuable insights into their attack chain and infrastructure. SMBs must remain vigilant, continuously improving their security posture, and educating employees about potential threats to mitigate the risk posed by threat actors like TA866.