Threat actors tracked as TA866 After a nine-month hiatus, the malware has resurfaced with a new large-scale phishing campaign to deliver known malware families such as WasabiSeed and Screenshotter.
The campaign, observed earlier this month and blocked by Proofpoint on January 11, 2024, involved sending thousands of invoice-themed emails with decoy PDF files to North America.
“These PDFs contain OneDrive URLs that, if clicked, initiate a multi-step infection chain that culminates in a malware payload that is a variant of the WasabiSeed and Screenshotter custom toolsets,” the enterprise security firm said.
The company first documented TA866 in February 2023, attributing it to a campaign called Screentime, which distributed WasabiSeed, a Visual Basic script dropper used to download Screenshotter, capable of regularly taking screenshots of victims’ desktops. Take screenshots and steal data to send that data to a domain controlled by the actor.
There is evidence that organized actors may be financially motivated, as Screenshotter acts as a reconnaissance tool to identify high-value targets for post-exploitation and deploys AutoHotKey (AHK)-based bots to ultimately drop Rhadamanthys information stealers.
A follow-up investigation in June 2023 by Slovak cybersecurity firm ESET found overlap between Screentime and another intrusion set called Asylum Ambuscade, a criminal software group active since at least 2020 that also engaged in Cyber espionage.
The latest attack chain remains virtually unchanged, except for switching from macro-enabled Publisher attachments to PDFs with malicious OneDrive links, with the campaign relying on a spam service provided by TA571 to deliver booby-trapped PDFs.
“TA571 is a spammer that sends high-volume spam campaigns to spread and install a variety of malware for its cybercriminal clients,” said Proofpoint researcher Axel F.
These include AsyncRAT, NetSupport RAT, IcedID, PikaBot, QakBot (also known as Qbot), and DarkGate, the last of which allows attackers to perform various commands such as information theft, cryptocurrency mining, and arbitrary program execution.
“Darkgate first appeared in 2017 and was only sold as malware-as-a-service to a small number of attack groups through underground forums,” South Korean cybersecurity firm S2W said in an analysis of the malware this week.
“DarkGate continues to update it by adding features and fixing bugs based on analysis by security researchers and vendors,” which highlights the ongoing efforts by adversaries to implement anti-analysis techniques to bypass detection.
News of TA866’s resurgence comes as Cofense revealed that transportation-related phishing emails mainly target the manufacturing industry, spreading malware such as Agent Tesla and Formbook.
“There was an increase in shipping-themed emails during the holidays, albeit modestly,” said Cofense security researcher Nathaniel Raymond.
“For the most part, annual trends indicate that these emails follow specific trends throughout the year, with varying volumes, with the most significant volumes occurring in June, October and November.”
This development follows the discovery of a novel evasion tactic that exploits the cache of security products by including a call-to-action (CTA) to a trusted website in phishing messages sent to targeted individuals. URL to bypass these policies.
“Their strategy consists of caching seemingly benign versions of attack vectors and then changing them to deliver malicious payloads,” Trelix said. He said such attacks mainly targeted financial services, financial services companies in Italy, the United States, France, Manufacturing, retail and insurance, Australia and India.
When the security engine scans such a URL, it is marked as safe and the verdict is stored in its cache for a period of time. This also means that if the URL is encountered again within that time period, the URL will not be reprocessed, but the cached result will be served.
Trellix notes that attackers are exploiting this quirk by waiting for security vendors to process the CTA URL and cache their conclusions, then change the link to redirect to the intended phishing page.
“Since the verdict is benign, the email reaches the victim’s inbox without any problems,” said security researchers Sushant Kumar Arya, Daksh Kapur and Rohan Shah. “Now, if the unsuspecting recipient decides to open the email and click the link/button in the CTA URL, they will be redirected to the malicious page.”
