Cybersecurity experts are sounding the alarm as threat actor cmakes a comeback after a nine-month hiatus, launching a large-volume phishing campaign. The campaign, intercepted by Proofpoint on January 11, 2024, utilizes invoice-themed emails containing rogue OneDrive URLs in decoy PDFs. Clicking these links initiates a multi-step infection chain, ultimately deploying the WasabiSeed and Screenshotter malware families. TA866, known for its financial motivation, employs Screenshotter as a reconnaissance tool to identify high-value targets, paving the way for the deployment of an AutoHotKey-based bot and the Rhadamanthys information stealer.
The latest attack by TA866 remains reminiscent of its previous tactics, with the switch from macro-enabled Publisher attachments to PDFs housing rogue OneDrive links being the primary alteration. The phishing campaign leverages a spam service from TA571 to distribute these booby-trapped PDFs, showcasing the collaboration among threat actors. Notably, TA571 specializes in high-volume spam email campaigns, distributing various malware such as AsyncRAT, NetSupport RAT, IcedID, PikaBot, QakBot, and DarkGate. The latter, sold as Malware-as-a-Service, enables attackers to perform diverse commands, including information theft, cryptocurrency mining, and arbitrary program execution.
The resurgence of TA866 coincides with revelations from Cofense about shipping-related phishing emails targeting the manufacturing sector, spreading malware like Agent Tesla and Formbook. Additionally, a novel evasion tactic has been uncovered, exploiting security product caching mechanisms to deliver malicious payloads. By incorporating a Call To Action (CTA) URL pointing to a trusted website, attackers manipulate security product caching, ensuring the seemingly benign version gets marked as safe. This tactic has disproportionately affected financial services, manufacturing, retail, and insurance sectors globally, emphasizing the evolving and sophisticated nature of cyber threats.