Cybersecurity experts have detected the resurgence of TA576, a cybercriminal threat actor known for targeting accounting and finance organizations. Proofpoint researchers have identified a distinct attack chain, showcasing the actor’s evolution in tactics. In the latest campaigns observed, TA576 employs a compromised account with a reply-to address featuring a recently registered domain, providing a façade of legitimacy. The actor’s use of Living Off The Land Binaries, Scripts and Libraries (LOLBAS) techniques, coupled with a unique PowerShell execution sequence, sets this campaign apart. Notably, this marks the first time TA576 has delivered the elusive Parallax RAT.
Attributed to cybercriminal activities since 2018, TA576’s tax-themed campaigns are a recurrent menace during the U.S. tax season. The actor’s primary targets include accounting and financial entities, with occasional forays into related industries such as legal. The significance of TA576’s campaigns lies not only in their targeted nature but also as a precursor to the adoption of similar themes by other threat actors. The cybersecurity community anticipates a surge in tax-themed attacks throughout April 2024, underscoring the need for heightened vigilance during this seasonal spike.