After a nine-month hiatus, the infamous TA866 threat actor is back, a new report from cybersecurity researchers Proofpoint claims, after recently observing a major phishing campaign targeting people in North America.
According to his reportProofpoint says TA866 sent “several thousand emails” with topics like “Project performance” and the like.
The emails contain a PDF attachment with names like “Document_(10 digits).prf” and the like. These documents contained a OneDrive URL that, when clicked, initiated a multi-step infection chain that ultimately deployed a variant of the WasabiSeed malware.
Organized actor
This malware downloads and executes additional payloads, including the custom toolset Screenshotter. Screenshotter, as the name suggests, takes screenshots of the affected desktop and sends them to the command & control (C2) server. Should the attackers like what they see in the screenshots, they would continue to deliver additional payloads. The researchers aren’t sure what malware that would be, but said the attackers had dropped AHK Bot and Rhadamanthys Stealer in previous campaigns.
Proofpoint attributed the campaign to TA866 due to its similarities to another campaign by the threat actor, observed in March last year. In both examples, the researchers claim, the TA571 spam service was used, the WasabiSeed downloader was provided, and the Screenshotter script was ultimately implemented. However, there are some notable changes from the March campaign. For example, the group decided to use PDF attachments with OneDrive links, which was not the case before. Previous campaigns used macro-enabled Publisher attachments, or 404 TDS URLs, directly in the email body.
The researchers describe TA866 as an “organized actor capable of executing well-thought-out attacks at scale,” based on their availability of custom tools and the ability to acquire additional tools from other threat actors (such as TA571’s spam tool) . The group conducts both crimeware and cyber espionage campaigns, the researchers further explained, saying that this particular campaign was financially motivated. The recipients of the phishing emails have not been named.