Hackers often use password-protected Zip Archive files for malware distribution to evade detection by security software.
They let the malware infiltrate the target system without detection by encrypting the file, which makes it more difficult for antivirus software to examine its contents.
On October 11 and 18, 2023, cybersecurity researchers at Proofpoint discovered two malicious campaigns in which TA571 spread the Forked IcedID variant.
More than 1,200 clients globally in a variety of sectors were impacted by the more than 6,000 messages that these two campaigns sent out.
The security experts at Proofpoint are quite confident in the ransomware danger posed by TA571 infections since this threat group is a well-known spam distributor that sends emails with malware.
Technical analysis
The campaigns used thread hijacking in emails with 404 TDS URLs. These links led to password-protected zip archives, with the password provided in the email.
However, besides this, the recipient was verified in multiple checks before delivering the archive.
The zip had a VBS script running an IcedID Forked loader. When double-clicked, it leads to an IcedID bot download. Apart from this, there are only a few campaigns where the Forked IcedID is seen.
In February 2023, cybersecurity analysts at Proofpoint discovered this variant. It removed banking functions, shifting focus from banking fraud to payload delivery, possibly favoring ransomware delivery.
For malware delivery, the threat group TA571 often employs 404 TDS, and since Sep 2022, researchers have been tracking 404 TDS.
In these campaigns, it’s been detected that threat actors delivered the following malware:-
TDS routes web traffic through operator servers, exploited for malware and phishing. 404 TDS possibly shared/sold to various actors, linked to diverse campaigns by Proofpoint.
The security experts at Proofpoint are quite confident in the ransomware danger posed by TA571 infections since this threat group is a well-known spam distributor that sends emails with malware.
Delivery of the Forked IcedID variant by TA571 is unusual, and that’s why Proofpoint sees TA571 as a sophisticated actor using intermediary “gates” for precise targeting, evading sandboxes.
Indicators of compromise
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.