- Upgrade to Microsoft Office Pro and Windows 11 Pro with this bundle for 87% off
- Get 3 months of Xbox Game Pass Ultimate for 28% off
- Buy a Microsoft Project Pro or Microsoft Visio Pro license for just $18 with this deal
- How I optimized the cheapest 98-inch TV available to look and sound incredible (and it's $1,000 off)
- The best blood pressure watches of 2024
TA866 Resurfaces in Targeted OneDrive Campaign
Cybersecurity researchers at Proofpoint have identified the resurgence of TA866 in email threat campaigns after a hiatus of nine months.
Writing in an advisory published today, the firm said it thwarted a large-scale campaign on January 11 involving several thousand emails primarily targeting North America.
The malicious emails, adopting an invoice-themed guise, were equipped with PDF attachments bearing filenames like “Document_[10 digits].pdf” and subjects related to “Project achievements.”
Upon opening these PDFs, users were directed through a multi-step infection chain facilitated by OneDrive URLs. Clicking on these URLs initiated a sequence involving JavaScript files, MSI files and WasabiSeed and Screenshotter custom tool sets, culminating in the deployment of a malware payload.
According to Proofpoint, the attack chain closely resembled a previous campaign documented by the company on March 20 2023, allowing for attribution to TA571, a known spam distributor, and TA866.
Read more on TA866: New Threat Group Reviews Screenshots Before Striking
As noted in the advisory, one notable change in this campaign was the use of PDF attachments containing OneDrive links. This is a departure from previous methods, which involved macro-enabled Publisher attachments or 404 TDS URLs.
Additionally, the post-exploitation tools, including JavaScript and MSIs with WasabiSeed and Screenshotter components, were attributed to TA866 – a threat actor engaged in both crimeware and cyber-espionage. This particular campaign displays signs of financial motivation.
“Threat actor TA866 is unique for their use of custom malware and commodity malware delivery services, as well as being associated with both e-crime and [APT] activity,” explained Selena Larson, senior threat intelligence analyst at Proofpoint.
“We had not seen TA866 in email threat data for around nine months, and their reappearance with a high-volume email campaign was notable. Their recent activity aligns with other cybercrime threat actors returning from typical end-of-year holiday breaks, indicating the overall threat activity is increasing as we move into 2024.”
Image credit: monticello / Shutterstock.com