TA558, a financially motivated threat actor identified in 2018, is targeting several countries but with utmost priority in Latin America.
Over 320 attacks have been observed from this particular threat actor, which involve using various tools and malware and compromising legitimate FTP servers and SMTP Servers.
Among the 320 attacks, 45 of them were targeted on Mexico, 38 over Colombia and 26 over Chile.
The sectors of interest seem to be the Industrial sector (22%), Service sector (16%), and Public sector (16%).
In addition, the threat actor has also been using Steganography techniques with images and text files.
TA558 Hackers Compromised 320+ Organizations
The threat actor used the compromised SMTP servers to send phishing emails to victims and also utilized the same SMTP servers for C2 infrastructure.
Some of the SMTP servers used by this threat actor were found to have public directories that contained Malware logs of Stolen data.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by
other email security solutions. .
The log files contained combined logs of credentials from well-known browsers, email accounts, and remote access credentials.
Moreover, these credentials belonged to regular users, public institutions, and various businesses.
In the initial phases of the investigation, researchers discovered an XLAM file in a phishing email from a compromised SMTP server.
When the attachment is opened with Excel, an EXE file named “packedtpodododod.exe” was downloaded from a C2 URL using the Excel macros.
In addition, an RTF file was identified on the same C2 server alongside another EXE file, which is the exploit file for CVE-2017-11882.
When the final EXE file is downloaded and run, the final payload of the relevant malware, say AgentTesla, then uploads exfiltrated data to the C2 via FTP.
Further analysis revealed that the threat actor was using multiple malware families such as AgentTesla, Remcos, XWorm, LokiBot, Guloader, Formbook and SnakeKeylogger.
Attack Scenarios
Two attack scenarios were identified by the threat actor. One involves using an Excel document and steganography, and the other involves a Microsoft Word document.
Among these attack scenarios, the attack using an Excel document was the main scenario, which starts with a phishing email sent to the victim from the compromised SMTP server containing a malicious file “Cerere de cotatie.xla”.
When this file is opened, two requests are made to the C2 server for downloading a DOC and an RTF.
Once the RTF file is downloaded, another VBS file is downloaded from a paste[.]ee server.
Following this, the VBS file proceeds to download and decode two image files that contain a base64 encoded malicious string that points to the next-stage payload.
The VBS file contains a PowerShell script to decode this base64 encoded string and proceeds to download the next-stage payload.
Finally, the AgentTesla malware runs on the system which checks the execution environment.
Further, it also checks if the victim’s IP address is real. If these checks are successful, the malware proceeds to steal data from browsers, email clients, and remote access services and uploads it to the C2 server using FTP.
However, the second attack variant involving a Microsoft Word document has a similar methodology, but it does not use steganography techniques using images.
Instead, it directly downloads the AgentTesla malware using the RTF document.
Other variants of the attacks using Remcos, LokiBot, FormBook, Guloader, Snake Keylogger, and XWorm also use the first attack scenario for downloading and executing the malware on the victim system.
Nevertheless, the C2 and download servers differ for every malware and attack variant.
On further investigation, the FTP servers used by the threat actors belonged to legitimate websites that were also compromised for using them as C2 servers for data exfiltration.
There were also several legitimate companies with thousands of followers on social media.
Furthermore, the indicators of compromise can be viewed on the research blog published by Positive Technologies.
Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.