TA866 Group Linked to New WarmCookie Malware in Espionage Campaign


Cisco Talos reveals TA866’s (also known as Asylum Ambuscade) sophisticated tactics and its link to the new WarmCookie malware from the BadSpace family. Learn about the threat actor’s persistent attacks, sophisticated tactics, and the advanced tools used to compromise systems.

Cybersecurity researchers at Cisco Talos have revealed new information about the sophisticated operations of TA866, also known as Asylum Ambuscade, a threat actor known for its persistent and adaptable attack strategies. 

TA866 has been active since 2020, focusing on financially motivated malware campaigns and espionage. The group uses numerous tools and techniques, including commodity and custom-built ones as part of its attack.

The group has also adopted a calculated approach, seeking to maintain their presence in compromised environments, carefully assessing the situation, and deploying tools as needed to achieve their objectives.

The Infection Chain: A Multi-Stage Process

According to Cisco Talos’ investigation, TA866’s attacks involve a multi-stage infection chain, beginning with the delivery of a malicious JavaScript downloader, which acts as a gateway, retrieving subsequent payloads from attacker-controlled servers. These payloads often take the form of MSI packages, which contain malware such as WasabiSeed.  

WasabiSeed is a crucial downloader component in the infection chain, ensuring persistence by establishing itself on compromised systems using an LNK shortcut. It can continuously poll for additional payloads from attacker-controlled servers, allowing TA866 to deliver subsequent attack stages.

TA866 also uses the Screenshotter malware family to capture periodic screenshots of the infected system. These screenshots provide valuable insights into the victim’s activities and allow TA866 to identify sensitive information or potential targets for further exploitation.  

In addition, TA866 frequently deploys AHK Bot, a modular malware family that uses AutoHotKey scripts to perform various functions such as system enumeration, screenshot capture, domain identification, keystroke logging, credential theft, and more. AHK Bot’s modular nature allows TA866 to customize its capabilities based on the specific needs of each attack.

WarmCookie and TA866 Connection

Cisco Talos’ research also highlights connections between WarmCookie malware and TA866, including similar lure themes, overlapping infrastructure, the deployment of CSharp-Streamer-RAT, Cobalt Strike as a follow-on payload, and the use of programmatically generated SSL certificates.

WarmCookie, a notorious malware family also called BadSpace, emerged in April 2024 and has been distributed through malspam and malvertising campaigns. It serves as a backdoor, allowing threat actors long-term access to compromised systems. It offers a wide range of functions like payload deployment, file manipulation, command execution, screenshot collection, and persistence.

“We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.”

Cisco Talos Research Team

Researchers also revealed how it is consistently used in invoice-related and job agency themes to lure victims to access hyperlinks in email bodies or attached documents like PDFs. A recent WarmCookie campaign used malspam and invoice lures to distribute malicious PDF attachments. These PDFs redirected victims to JavaScript downloaders on servers linked to the LandUpdates808 infrastructure.

Screenshot: Cisco Talos

TA866’s evolution highlights the complex challenges faced by organizations in defending against cyber threats. Organizations need to stay informed about the latest threat intelligence and implement advanced security measures to mitigate the risks posed by this advanced threat actor.

  1. Fake CAPTCHA Pages Spread Lumma Stealer Fileless Malware
  2. Chinese “ChamelGang” Uses Attacks for Disruption, Data Theft
  3. Octo2 Malware Uses Fake NordVPN, Chrome Apps in its Attacks
  4. Advanced Espionage Malware “Stealth Soldier” Hits Libyan Firms
  5. Fake ESET Emails Used to Target Israeli Firms with Wiper Malware





Source link