TA866 Resurfaces in Targeted OneDrive Campaign


Cybersecurity researchers at Proofpoint have identified the resurgence of TA866 in email threat campaigns after a hiatus of nine months. 

Writing in an advisory published today, the firm said it thwarted a large-scale campaign on January 11 involving several thousand emails primarily targeting North America. 

The malicious emails, adopting an invoice-themed guise, were equipped with PDF attachments bearing filenames like “Document_[10 digits].pdf” and subjects related to “Project achievements.”

Upon opening these PDFs, users were directed through a multi-step infection chain facilitated by OneDrive URLs. Clicking on these URLs initiated a sequence involving JavaScript files, MSI files and WasabiSeed and Screenshotter custom tool sets, culminating in the deployment of a malware payload. 

According to Proofpoint, the attack chain closely resembled a previous campaign documented by the company on March 20 2023, allowing for attribution to TA571, a known spam distributor, and TA866.

Read more on TA866: New Threat Group Reviews Screenshots Before Striking

As noted in the advisory, one notable change in this campaign was the use of PDF attachments containing OneDrive links. This is a departure from previous methods, which involved macro-enabled Publisher attachments or 404 TDS URLs. 

Additionally, the post-exploitation tools, including JavaScript and MSIs with WasabiSeed and Screenshotter components, were attributed to TA866 – a threat actor engaged in both crimeware and cyber-espionage. This particular campaign displays signs of financial motivation.

“Threat actor TA866 is unique for their use of custom malware and commodity malware delivery services, as well as being associated with both e-crime and [APT] activity,” explained Selena Larson, senior threat intelligence analyst at Proofpoint.

“We had not seen TA866 in email threat data for around nine months, and their reappearance with a high-volume email campaign was notable. Their recent activity aligns with other cybercrime threat actors returning from typical end-of-year holiday breaks, indicating the overall threat activity is increasing as we move into 2024.”

Image credit: monticello / Shutterstock.com

Products You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *