After a nine-month hiatus, the infamous TA866 threat actor is back, a new report from cybersecurity researchers Proofpoint claims, having recently observed a large phishing campaign targeting people in North America.
According to its report, Proofpoint says TA866 sent “several thousand emails” with topics like “Project Accomplishments” and the like.
The emails had an attached PDF file with names like “Document_[10 digits].prf” and similar. These documents contained a OneDrive URL that, when clicked, initiated a multi-step infection chain that ultimately deployed a variant of the WasabiSeed malware.
organized actor
This malware downloads and executes additional payloads, including the custom Screenshotter toolset. Screenshotter, as the name suggests, takes screenshots of the compromised desktop and sends them to the command and control (C2) server. If the attackers like what they see in the screenshots, they will proceed to deliver additional payloads. The researchers aren't sure what malware it would be, but they said that in previous campaigns, attackers removed AHK Bot and Rhadamanthys Stealer.
Proofpoint attributed the campaign to TA866 due to similarities it had to another campaign from the threat actor, observed in March of last year. In both examples, the researchers claim, the TA571 spam service was used, the WasabiSeed downloader was delivered, and finally the Screenshotter script was deployed. However, there are some notable changes compared to the March campaign. For example, the group decided to use PDF attachments with OneDrive links, which was not the case before. Previous campaigns used macro-enabled publisher attachments, or 404 TDS URLs, directly in the email body.
Researchers describe TA866 as an “organized actor capable of conducting well-thought-out attacks at scale,” based on its availability of custom tools and the ability to acquire additional tools from other threat actors (such as TA571's spam tool ). The group runs crimeware and cyberespionage campaigns, researchers explained, saying this specific campaign was financially motivated. The recipients of the phishing emails were not identified.
