Invasion of Inboxes: TA866’s Malicious Email Onslaught Revealed

The cybercriminal group TA866, renowned for its phishing endeavors, has resumed its malevolent operations after a nine-month hiatus, according to cybersecurity firm Proofpoint.

Recently, the hackers have launched a widespread campaign targeting users in North America. This campaign disseminates thousands of phishing emails concerning invoices and financial transactions. The attached PDF files contain links to OneDrive, initiating a multi-tiered infection chain that results in the installation of malicious software on the user’s device.

TA866’s activities were first documented in February 2023, when the hackers were distributing WasabiSeed and Screenshotter viruses, capable of capturing screenshots of the victim’s device and transmitting them to a domain controlled by the perpetrators. These tools were actively used for intelligence gathering and identifying high-value targets for subsequent attacks.

CVE-2021-28550

Login into account in email envelope and fishing hook. Phishing scam, hacker attack and web security concept. online scam and steal. vector illustration in flat design

Later, ESET discovered a connection between TA866 campaigns and another group known as Asylum Ambuscade, which has been engaged in cyber espionage since 2020. The attack chain itself has remained largely unchanged, except for the substitution of Microsoft Publisher attachments with macro support for PDF files containing malicious OneDrive links. The campaign relies on a spam service provided by TA571 for the distribution of malicious PDF files.

Proofpoint researchers indicate that TA571 is a spam distributor that sends a large volume of phishing emails with various viruses to its cybercriminal clients. This method is used to disseminate well-known threats such as AsyncRAT, NetSupport RAT, IcedID, and others.

Analysts from Splunk have also conducted research, revealing the use of malicious PDF files as carriers for installing DarkGate – a ransomware program first detected in 2017 and now sold on underground forums as a model MaaS.

Cofense in its recent report also noted phishing attacks related to the delivery and manufacturing sector, and Trellix uncovered a new tactic for bypassing protection used by criminals who embed malicious code in phishing messages after they pass security checks.

Thus, TA866 and its affiliated groups pose a significant threat in the realm of cybersecurity, employing sophisticated methods and stratagems to achieve their destructive objectives.