1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Dangerous TA866 malware returns with devious new phishing campaig

    From TechnologyDaily@1337:1/100 to All on Mon Jan 22 18:30:05 2024
    Dangerous TA866 malware returns with devious new phishing campaign

    Date:
    Mon, 22 Jan 2024 18:25:09 +0000

    Description:
    After months in absence, the notorious gang is back with a major phishing campaign.

    FULL STORY ======================================================================

    After a nine month hiatus, the infamous TA866 threat actor is back, a new report from cybersecurity researchers Proofpoint has claimed, having recently observed a large phishing campaign targeting people in North America.

    As per its report , Proofpoint says TA866 sent several thousand emails with subjects such as Project achievements, and similar.

    The emails carried a PDF attachment with names like Document_[10 digits].prf and similar. These documents contained a OneDrive URL which, if clicked, launched a multi-step infection chain that ultimately deployed a variant of the WasabiSeed malware . Organized actor

    This malware downloads and runs additional payloads, including the Screenshotter custom toolset. Screenshotter, as the name suggests, takes screenshots of the compromised desktop and sends them to the command &
    control (C2) server. Should the attackers like what they see on the screenshots, they would proceed to deliver additional payloads. The researchers are unsure which malware that would be, but said that in previous campaigns, the attackers dropped AHK Bot and Rhadamanthys Stealer.

    Proofpoint attributed the campaign to TA866 due to the similarities it had to another campaign by the threat actor, observed in March last year. In both examples, the researchers claim, the TA571 spam service was used, the WasabiSeed downloader was delivered, and the Screenshotter script was ultimately deployed. There are some notable changes compared to the March campaign, though. For example, the group decided to use PDF attachments with OneDrive links, which wasnt previously the case. Earlier campaigns used macro-enabled Publisher attachments, or 404 TDS URLs, directly in the email body.

    The researchers describe TA866 as an organized actor able to perform well thought-out attacks at scale, based on their availability of custom tools,
    and the ability to acquire additional tools from other threat actors (such as the spam tool from TA571). The group runs both crimeware and cyberespionage campaigns, the researchers further elaborated, saying that this specific campaign was financially motivated. The recipients of the phishing emails
    were not named. More from TechRadar Pro This new "custom" malware hits your device with specially-designed attacks Here's a list of the best firewalls around today These are the best endpoint security tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/dangerous-ta866-malware-returns-with-de vious-new-phishing-campaign


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)