TA866 cybercrime group, known for its activities in the field of phishing, resumed harmful activities after a nine-month break, reports ib companies Proofpoint.
Recently, hackers launched a large-scale campaign aimed at users in North America. Within the framework of this campaign, thousands of phishing letters on the topic of accounts and finance are distributed. The nested PDF files contain links to OneDrive, which initiate a multi-stage infection chain, as a result of which harmful software is installed on the user’s device.
The activities of the TA866 group were first documented in February 2023, when hackers distributed the Wasabiseed and Screenshotter viruses, capable of taking pictures of the victim’s device and sending them to the domain controlled by attackers. These instruments were actively used to collect intelligence and determine highly valuable targets for subsequent attacks.
Later, Eset discovered the relationship between the TA866 and the other a group known as ASYLUM AMBUSCADE, which has been engaged in cyberspienage since 2020. The attack chain itself has not practically changed, with the exception of the replacement of Microsoft Publisher support with macros support to PDF files with harmful Onedrive links. At the same time, the campaign is relied on on the spam service provided by the TA571 for the spread of malicious PDF files.
Proofpoint researchers indicate that the TA571 is a spam distributor that sends a large number of phishing letters with various viruses for its Kibertres -Business customers. For example, such well-known threats as Asyncrat, Netsuport Rat, ICEDID and others are distributed by this method.
Analysts from Splunk also conducted research, identifying the use of malicious PDF files as carriers for installing a DarkGate – a carrier program that was first discovered in 2017 and is now sold at underground forums according to the MAAS model.