TA866 resurfaces in targeted OneDrive campaign


Cybersecurity researchers at Proofpoint have identified the resurgence of TA866 in email threat campaigns after a nine-month hiatus.

In an advisory published today, the company said it thwarted a large-scale campaign on January 11 involving several thousand emails primarily targeting North America.

The malicious emails, resembling an invoice, were accompanied by PDF attachments with file names such as “Document_(10 digits).pdf” and subjects related to “Project Accomplishments.”

When opening these PDF files, users were taken to a multi-step infection chain facilitated by OneDrive URLs. Clicking on these URLs triggered a sequence involving JavaScript files, MSI files, and custom WasabiSeed and Screenshotter toolsets, culminating in the deployment of a malware payload.

According to Proofpoint, the attack chain closely resembled a previous campaign the company documented on March 20, 2023, attributing it to TA571, a known spam distributor, and TA866.

Read more about TA866: New threat group reviews screenshots before striking

As shown in the board, a notable change in this campaign was the use of PDF attachments containing OneDrive links. This is a difference from previous methods, which involved macro-enabled Publisher attachments or 404 TDS URLs.

Additionally, post-exploitation tools, including JavaScript and MSIs with WasabiSeed and Screenshotter components, have been attributed to TA866, a malicious actor engaged in both crimeware and cyberespionage. This particular campaign shows signs of financial motivation.

“The TA866 threat actor is unique due to its use of custom malware delivery services and commodity malware, as well as its association with both electronic crime and activities (APT),” explained Selena Larson, Senior Threat Intelligence Analyst at Proofpoint.

“We hadn’t seen TA866 in email threat data for about nine months, and their reappearance in a high-volume email campaign was notable. Their recent activity aligns with that of other cyber actors returning from typical end-of-year vacations, indicating that overall threat activity is increasing as we approach 2024.”

Image credit: monticello / Shutterstock.com

Leave a comment