BEC and EAC

Security Brief: TA866 Returns with a Large Email Campaign 

Share with your network!

What happened 

Proofpoint researchers identified the return of TA866 to email threat campaign data, after a nine-month absence. On January 11, 2024, Proofpoint blocked a large volume campaign consisting of several thousand emails targeting North America. Invoice-themed emails had attached PDFs with names such as “Document_[10 digits].pdf” and various subjects such as “Project achievements”.  The PDFs contained OneDrive URLs that, if clicked, initiated a multi-step infection chain eventually leading to the malware payload, a variant of the WasabiSeed and Screenshotter custom toolset. 

Figure 1

Screenshot of an email with an attached PDF. 

If the user clicked on the OneDrive URL inside the PDF, they were: 

  • Served a JavaScript file hosted on OneDrive. 
  • The JavaScript, if run by the user, downloaded and ran an MSI file.  
  • The MSI file executed an embedded WasabiSeed VBS script. 
  • The WasabiSeed VBS script then downloaded and executed a second MSI file as well as continued polling for additional payloads in a loop. The additional payloads are currently unknown.  
  • Finally, the second MSI file contained components of the Screenshotter screenshot utility which took a screenshot of the desktop and sent it the C2. 

attack chain summary

Attack chain summary: Email > PDF > OneDrive URL > JavaScript > MSI / VBS (WasabiSeed) > MSI (Screenshotter).

The attack chain was similar to the last documented email campaign using this custom toolset observed by Proofpoint on March 20, 2023. The similarities helped with attribution. Specifically, TA571 spam service was similarly used, the WasabiSeed downloader remained almost the same, and the Screenshotter scripts and components remained almost the same. (Analyst Note: While Proofpoint did not initially associate the delivery TTPs with TA571 in our first publication on TA866, subsequent analysis attributed the malspam delivery of the 2023 campaigns to TA571, and subsequent post-exploitation activity to TA866.) 

One of the biggest changes in this campaign from the last observed activity was the use of a PDF attachment containing a OneDrive link, which was completely new. Previous campaigns typically used macro-enabled Publisher attachments or 404 TDS URLs directly in the email body. 

Figure 3

Screenshot of “TermServ.vbs” WasabiSeed script whose purpose is to execute an infinite loop, reaching out to C2 server and attempting to download and run an MSI file (empty lines were removed from this script for readability). 

Figure 4

Screenshot of “app.js”, one of the components of Screenshotter. This file runs “snap.exe”, a copy of legitimate IrfanView executable, (also included inside the MSI) to save a desktop screenshot as “gs.jpg”. 

Figure 5

Screenshot of “index.js”, another Screenshotter component. This code is responsible for uploading the desktop screenshot ”gs.jpg” to the C2 server. 

Attribution 

There are two threat actors involved in the observed campaign. Proofpoint tracks the distribution service used to deliver the malicious PDF as belonging to a threat actor known as TA571. TA571 is a spam distributor, and this actor sends high volume spam email campaigns to deliver and install a variety malware for their cybercriminal customers. 

Proofpoint tracks the post-exploitation tools, specifically the JavaScript, MSI with WasabiSeed components, and MSI with Screenshotter components as belonging to TA866. TA866 is a threat actor previously documented by Proofpoint and colleagues in [1][2] and [3]. TA866 is known to engage in both crimeware and cyberespionage activity. This specific campaign appears financially motivated. 

Proofpoint assesses that TA866 is an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools, and ability and connections to purchase tools and services from other actors. 

Why it matters 

The following are notable characteristics of TA866’s return to email threat data: 

  • TA866 email campaigns have been missing from the landscape for over nine months (although there are indications that the actor was meanwhile using other distribution methods)  
  • This campaign comes at a time when Proofpoint is also observing other actors return from traditional end-of year holiday breaks, and thus the overall threat landscape activity increasing 
  • This campaign attempted to deliver WasabiSeed downloader and Screenshotter payloads. It is currently unknown what follow-on payload the actor would install if they were satisfied with the screenshots taken by the Screenshotter. In previous campaigns the actor has delivered AHK Bot and Rhadamanthys Stealer 
  • The evolution in the attack chain such as use of new PDF attachments is also notable. 

References 

[1] https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me 

[2] https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails 

[3] https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/ 

Example Emerging Threats signatures 

2043239 - ET MALWARE WasabiSeed Backdoor Payload Request (GET) 

2852922 - ETPRO MALWARE Screenshotter Backdoor Sending Screenshot (POST)  

Indicators of compromise 

Indicator  

Description 

hxxps[:]//onedrive.live[.]com/download?resid=720FBFD017217E31%21118&authkey=!ACD7ldpnneZUBtc&a=[4 or more random letters] 

URL inside PDF 

bdb0b6f52b51d989c489c3605a1534c9603ffb7a373654f62fd6f3e3599341fb 

SHA256 of the Document.js hosted on the OneDrive URLs 

 hxxp[:]//37[.]1.212.198//md.msi 

JavaScript Downloading MSI 

8277dff37fb068c3590390ca1aa6b96fd8b4f93757d5070f68ee8894e37713b1 

SHA256 of ms.msi 

c9329007524b3da130c8635a226c8cbe3a4e803b813f5b2237ed976feb9d2c8d 

SHA256 of WasabiSeed script TermServ.vbs contained inside ms.msi  

hxxp[:]//193[.]233.133.179/[C: Drive Serial Number] 

WasabiSeed C2 

19938b8918b09852ee8d27a7cc2991ba2eb110f27ce25e70fffde932a74e6a6d 

SHA256 of MSI payload (Screenshotter) downloaded by WasabiSeed 

8b35b21b52780d39ea7832cb918533be7de5b6682cbeffe37797ba92a92aa368 

SHA256 of “index.js” Screenshotter component 

6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc 

SHA256 of “snap.exe” Screenshotter component (legitimate IrfanView) 

aec5bf19e72ed577b0a02cffeb4f5cc713ab4478267ce348cf337b508f2fcade 

SHA256 of “app.js” Screenshotter component 

hxxp[:]//193[.]233.133.179:80/screenshot/[C: Drive Serial Number] 

Screenshotter C2