- 삼성전자 한종희 부회장 "모두를 위한 AI 혁신, 산업·사회로 확장"
- JMGO just unveiled its flagship laser projector, but you may have to wait until the fall
- The new Amazfit Active 2 smartwatch is affordable and packed with surprises
- Sony just announced its new Android XR-powered headset geared towards creators
- IBM, AI 투자수익률 보고서 발표 "47% 응답자, 긍정적 ROI 달성"
TA866 Resurfaces in Targeted OneDrive Campaign
Cybersecurity researchers at Proofpoint have identified the resurgence of TA866 in email threat campaigns after a hiatus of nine months.
Writing in an advisory published today, the firm said it thwarted a large-scale campaign on January 11 involving several thousand emails primarily targeting North America.
The malicious emails, adopting an invoice-themed guise, were equipped with PDF attachments bearing filenames like “Document_[10 digits].pdf” and subjects related to “Project achievements.”
Upon opening these PDFs, users were directed through a multi-step infection chain facilitated by OneDrive URLs. Clicking on these URLs initiated a sequence involving JavaScript files, MSI files and WasabiSeed and Screenshotter custom tool sets, culminating in the deployment of a malware payload.
According to Proofpoint, the attack chain closely resembled a previous campaign documented by the company on March 20 2023, allowing for attribution to TA571, a known spam distributor, and TA866.
Read more on TA866: New Threat Group Reviews Screenshots Before Striking
As noted in the advisory, one notable change in this campaign was the use of PDF attachments containing OneDrive links. This is a departure from previous methods, which involved macro-enabled Publisher attachments or 404 TDS URLs.
Additionally, the post-exploitation tools, including JavaScript and MSIs with WasabiSeed and Screenshotter components, were attributed to TA866 – a threat actor engaged in both crimeware and cyber-espionage. This particular campaign displays signs of financial motivation.
“Threat actor TA866 is unique for their use of custom malware and commodity malware delivery services, as well as being associated with both e-crime and [APT] activity,” explained Selena Larson, senior threat intelligence analyst at Proofpoint.
“We had not seen TA866 in email threat data for around nine months, and their reappearance with a high-volume email campaign was notable. Their recent activity aligns with other cybercrime threat actors returning from typical end-of-year holiday breaks, indicating the overall threat activity is increasing as we move into 2024.”
Image credit: monticello / Shutterstock.com
