TA866, a threat actor previously identified by Proofpoint, has reappeared after a nine-month hiatus with a new large-scale phishing campaign aimed at delivering known malware families such as WasabiSeed and Screenshotter. The enterprise security firm uncovered the campaign earlier this month and was able to block it on January 11, 2024. The attack involved sending thousands of invoice-themed emails specifically targeting North America with decoy PDF files.
The PDFs contained OneDrive URLs that, if clicked, triggered a multi-step infection chain ultimately leading to the malware payload. This variant of the WasabiSeed and Screenshotter custom toolset has been linked to TA866, which was first documented by Proofpoint in February 2023 in a campaign named Screentime that distributed WasabiSeed. WasabiSeed is a Visual Basic script dropper used to download Screenshotter, which is capable of taking screenshots of the victim’s desktop at regular intervals and sending the data to an actor-controlled domain.
There are indications that TA866 may be financially motivated, as Screenshotter is used as a recon tool to identify high-value targets and deploy an AutoHotKey (AHK)-based bot to drop the Rhadamanthys information stealer. ESET, a Slovak cybersecurity firm, discovered overlaps between TA866’s Screentime campaign and a group known as Asylum Ambuscade, a crimeware group engaged in cyber espionage operations since at least 2020.
The latest attack chain remains largely unchanged, aside from the shift from macro-enabled Publisher attachments to PDFs with a rogue OneDrive link. TA571, a spam distributor, is providing the distribution service for the booby-trapped PDFs. They have been known to send high volume spam email campaigns to deliver and install a variety of malware for their cybercriminal customers, including AsyncRAT, NetSupport RAT, IcedID, PikaBot, QakBot, and DarkGate.
Splunk has detected multiple campaigns using a loader to initiate DarkGate on compromised endpoints. DarkGate, which first appeared in 2017, is sold as Malware-as-a-Service through underground forums, and continues to be updated by adding features and fixing bugs to evade detection.
The resurgence of TA866 comes as Cofense revealed that shipping-themed phishing emails primarily target the manufacturing sector to spread malware such as Agent Tesla and Formbook. Cofense security researcher Nathaniel Raymond highlighted that these types of emails tend to increase during the holiday seasons, with peak volumes occurring in June, October, and November.
Meanwhile, security researchers have also discovered a novel evasion tactic that leverages the caching mechanism of security products to bypass detection. This tactic involves incorporating a Call To Action (CTA) URL in phishing messages that points to a trusted website. By caching a benign version of the attack vector and subsequently altering it to deliver a malicious payload, attackers are able to bypass security measures.
These attacks have primarily targeted financial services, manufacturing, retail, and insurance verticals in Italy, the U.S., France, Australia, and India. The attackers take advantage of the security vendors’ caching of a benign verdict for the CTA URL, subsequently altering the link to redirect to the intended phishing page.
This new discovery underscores the ongoing efforts of threat actors to evade detection and security measures, posing a significant challenge for organizations and security vendors. The evolving tactics and techniques employed by these threat actors highlight the need for continued vigilance and proactive cybersecurity measures to mitigate the risk of cyber threats.
For more exclusive content and updates, follow us on Twitter and LinkedIn.