Proofpoint researchers have identified the return of the TA866 group in email threat campaigns after a nine-month hiatus.
In a statement released today, the company reported that it had thwarted a massive campaign conducted on January 11th, targeting several thousand emails, primarily in North America.
The malicious emails took the form of invoices and were equipped with PDF attachments named “Document_[10 digits].pdf” and related subjects such as “Project Achievements”.
Upon opening these PDF files, users were directed through a multi-stage infection source using OneDrive links. Clicking on these links initiated a sequence involving JavaScript files, MSI files, as well as the tools WasabiSeed and Screenshotter, ultimately resulting in the installation of malicious software.
According to Proofpoint, the attack chain closely resembled a previous campaign documented by the company on March 20, 2023, allowing it to be attributed to the TA571 group, a known distributor of spam, as well as TA866.
As stated in the announcement, one significant change in this campaign was the use of PDF attachments containing OneDrive links. This deviated from previous methods, which included Publisher attachments with enabled macros or TDS 404 URLs.
Furthermore, the post-exploitation tools used, including JavaScript and MSI files with WasabiSeed and Screenshotter components, were attributed to the TA866 group – a threat actor involved in both criminal activity and cyber espionage. This specific campaign shows signs of financial motivation.
“TA866 is unique due to its use of custom malware and malicious file delivery services, as well as its association with electronic crime and [APT] activity,” explains Selena Larson, Senior Threat Analyst at Proofpoint.
“We hadn’t seen the TA866 group in email threat data for about nine months, and their return with a high-volume email campaign is noteworthy. Their recent activity aligns with the return of other cyber threat actors after the standard year-end hiatus, indicating an overall increase in threats as we transition into 2024.”
Cybersecurity is the field of security that deals with the protection of computer systems, networks, and data from cyberattacks.
The TA866 group is the name given to the group identified by Proofpoint researchers as a cyber threat actor involved in both criminal activity and cyber espionage.
Email threat campaigns are attempts to defraud by sending malicious emails containing malicious files or links that can infect computers or steal confidential information.
Campaign conducted by the TA866 group refers to a massive email campaign conducted by the TA866 group, targeting several thousand emails primarily in North America.
PDF attachments are PDF files that were attached to malicious emails in the campaign, taking the form of invoices and referring to “Project Achievements”.
OneDrive links are links generated as part of the campaign that redirected users to OneDrive pages where the infection sequence began.
JavaScript is a programming language used especially for creating dynamic web pages.
MSI (Microsoft Windows Installer) is a technology used in Windows systems for the installation, configuration, and removal of software.
WasabiSeed and Screenshotter are tools used in this campaign post-exploitation, which have been attributed to the TA866 group.
TA571 group is another cyber threat actor group that has been identified as a participant in this campaign.
Electronic crime refers to illegal activities conducted using electronic technologies, such as internet fraud or identity theft, to gain financial benefits.
APT (Advanced Persistent Threat) is a term used in cybersecurity, referring to a planned, advanced, and long-term campaign of cyberattacks, often conducted by state agencies or affiliated hacker groups.
OneDrive links – https://onedrive.live.com/
Malicious software – https://en.wikipedia.org/wiki/Malware