Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
How WasabiSeed and Screenshot malware are becoming key tools for intelligence gathering.
Cybercrime group TA866, known for its phishing activities, resumed malicious activity after a nine-month break, according to the information security company Proofpoint.
Hackers recently launched a massive campaign targeting users in North America. This campaign distributes thousands of phishing emails related to accounts and finances. The attached PDF files contain links to OneDrive, which initiate a multi-stage chain of infection, resulting in malware being installed on the user's device.
The activity of the TA866 group was first documented in February 2023, when hackers spread the WasabiSeed and Screenshot viruses, which are capable of taking screenshots of the victim's device and sending them to a domain controlled by attackers. These tools were actively used to gather intelligence and identify high-value targets for subsequent attacks.
ESET discovered a link between the TA866 campaigns and another group known as Asylum Ambuscade, which has been engaged in cyber espionage since 2020. The attack chain itself has remained virtually unchanged, with the exception of replacing Microsoft Publisher macro-enabled attachments with PDFs with malicious OneDrive links. The campaign relies on a spam service provided by TA571 to distribute malicious PDF files.
Proofpoint researchers point out that TA571 is a spam distributor that sends out a large number of phishing emails with various viruses to its cybercriminal clients. This method is used to spread, for example, such well-known threats as AsyncRAT, NetSupport RAT, IcedID, and others.
Analysts from Splunk also conducted research, revealing the use of malicious PDF files as media for installing DarkGate, a ransomware program that was first discovered in 2017 and is now sold on underground forums using the MaaS model.
Cofense also reported phishing attacks related to the delivery and manufacturing sectors in a recent report, and Trellix identified a new security bypass tactic used by attackers who inject malicious code into phishing messages after they pass security checks.
Thus, TA866 and its associated groups pose a serious threat in the field of cybersecurity, using sophisticated methods and tricks to achieve their destructive goals.
Cybercrime group TA866, known for its phishing activities, resumed malicious activity after a nine-month break, according to the information security company Proofpoint.
Hackers recently launched a massive campaign targeting users in North America. This campaign distributes thousands of phishing emails related to accounts and finances. The attached PDF files contain links to OneDrive, which initiate a multi-stage chain of infection, resulting in malware being installed on the user's device.
The activity of the TA866 group was first documented in February 2023, when hackers spread the WasabiSeed and Screenshot viruses, which are capable of taking screenshots of the victim's device and sending them to a domain controlled by attackers. These tools were actively used to gather intelligence and identify high-value targets for subsequent attacks.
ESET discovered a link between the TA866 campaigns and another group known as Asylum Ambuscade, which has been engaged in cyber espionage since 2020. The attack chain itself has remained virtually unchanged, with the exception of replacing Microsoft Publisher macro-enabled attachments with PDFs with malicious OneDrive links. The campaign relies on a spam service provided by TA571 to distribute malicious PDF files.
Proofpoint researchers point out that TA571 is a spam distributor that sends out a large number of phishing emails with various viruses to its cybercriminal clients. This method is used to spread, for example, such well-known threats as AsyncRAT, NetSupport RAT, IcedID, and others.
Analysts from Splunk also conducted research, revealing the use of malicious PDF files as media for installing DarkGate, a ransomware program that was first discovered in 2017 and is now sold on underground forums using the MaaS model.
Cofense also reported phishing attacks related to the delivery and manufacturing sectors in a recent report, and Trellix identified a new security bypass tactic used by attackers who inject malicious code into phishing messages after they pass security checks.
Thus, TA866 and its associated groups pose a serious threat in the field of cybersecurity, using sophisticated methods and tricks to achieve their destructive goals.
