TA4903 is a financially motivated cybercriminal threat actor who impersonates both US government institutions and private businesses across a wide range of industries.
The actor mostly targets organizations in the United States but occasionally those worldwide through high-volume email campaigns.
The campaign’s goals are to obtain corporate credentials, hack mailboxes, and carry out subsequent business email compromise (BEC) activities.
Proofpoint Researchers noticed an upsurge in credential phishing and fraud attempts employing various TA4903 themes from mid-2023 to 2024.
The actor began spoofing small and medium-sized enterprises (SMBs) across a range of sectors, including manufacturing, energy, finance, food and beverage, and construction.
The rapid growth of BEC themes also increased, with themes like “cyberattacks” being used to entice victims to disclose their banking and payment information.
“The actor’s recent BEC campaigns that move away from government spoofing and instead purport to be from small and medium-sized businesses have become more frequent”, Proofpoint shared with Cyber Security News.
Tactics, Techniques, and Procedures (TTPs) Associated with TA4903
TA4903 has been known to carry out campaigns of credential theft using PDF attachments that lead to portals impersonating U.S. government agencies. These portals are usually lured with bid proposals.
Malware analysis can be fast and simple. Just let us show you the way to:
- Interact with malware safely
- Set up virtual machine in Linux and all Windows OS versions
- Work in a team
- Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox: ..
Late in 2023, TA4903 started impersonating the USDA and adding QR codes to their PDFs—a tactic that this actor had not before used.
In 2023 the new tactics, techniques, and procedures included the use of lure themes that referenced confidential documents, ACH payments, and secure message lures, as well as the use of URLs, HTML attachments, or zipped HTML attachments.
The HTML contents in these ZIP attachments had URLs that pointed to a fake Microsoft O365 login page website. The purpose of this website is to obtain usernames and passwords.
Throughout 2023, TA4903 was seen to be utilizing EvilProxy, a reverse proxy multifactor authentication bypass toolkit; however, its usage decreased later in the year, and as of 2024, it has not been seen to be using it.
Proofpoint has seen multiple cases of BEC campaigns that are specifically designed to attempt invoice fraud.
Lookalike domains and reply-to manipulation are typically used in these campaigns to trick the receivers.
“With high confidence that the themes and targets for these campaigns are created with the information gathered from accounts compromised during prior credential phishing campaigns, typically targeting the original victim’s business partners and financial institutions”, researchers said.
Compared to earlier instances of government spoofing or other credential theft activities, researchers concluded that these campaigns are detected operating at a faster operational tempo.
The effectiveness of such campaigns may have caused the actor’s tactics to change, or it may just be a brief alteration in the TTPs as a whole.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.