US and German organizations are attacked by carefully designed malware assigned to steal confidential information. The cluster is called TA866.
What does it do?
Proofpoint researchers identified the malicious activity in October 2022. This activity was first seen in US forms, but recently they got into German firms.
The emails carried Publisher files and were only limited to a few firms. In December 2022, the volume of emails drastically increased, targeting many firms in US and Germany with malicious attachments, primarily PDF files. The threat actors have increased in Germany since January 2023, affecting thousands of firms.
Anatomy of an attack
TA866 takes its origin in Russia and is said to be coded in the Russian language. The comments and other sign language used in the malware indicate its inception from Russia.
- The attack begins with a phishing email sent to the potential victim that likely uses thread hijacking and contains PDF documents laden with malicious URLs, Microsoft Publisher (.pub) attachments with malicious macros, or URLs pointing to malicious .pub files.
- When the URL is clicked or the macro inside the document is executed, the victim system gets compromised, and the attack chain gets initiated.
- It downloads custom malware called Screenshotter and WasabiSeed on the victim’s machine.
The attack is problematic as it takes the user to Rhadamanthys stealer sometimes, which is the cluster of spam sites opening in the form of an attack to target users for the most sensitive information.
Also, the AHK Bot gets downloaded through a screenshot, which completely takes control of your documents and action keys.
Concluding thoughts
TA866 only targets organizations as the designers are interested in more sensitive information. The malware is well designed to include custom and commodity tools to act as an established malware. Companies need to follow a proactive approach. The management should train their employees regarding cyber security threats.
PureVPN
February 15, 2023
3 years ago
