Notorious Threat Actor TA577 Evolves: Stealing Your Credentials, One Click at a Time

TA577 cybercrime group
Example message using thread hijacking containing a zipped attachment containing an HTML file

TA577, a prolific cybercrime group responsible for past Qbot campaigns and associated with Black Basta ransomware attacks, is demonstrating an alarming shift in tactics. Proofpoint’s latest analysis reveals they’ve added large-scale NTLM credential theft campaigns to their dangerous repertoire.

Example message using thread hijacking containing a zipped attachment containing an HTML file | Image: Proofpoint

Over two meticulously planned campaigns on the 26th and 27th of February 2024, TA577 unleashed tens of thousands of messages across hundreds of global organizations. TA577’s strategy is meticulous and deceptive:

  • Social Engineering Lure: Instead of generic blasts, the attack begins with emails masquerading as replies in existing email threads. This social engineering trick increases the chance of victims trusting the attached zip files, which contain the malicious HTML payload.
  • HTML Trap: These files, customized for each target, rely on a meta refresh redirect. Upon opening, your system is tricked into contacting a malicious SMB server controlled by TA577, automatically leaking your valuable NTLM hashes.
  • Credential Compromise: Impacket toolkits found on the SMB servers strongly suggest password cracking is the goal. These hashes, if cracked, give attackers the keys to move freely within your network or escalate privilege levels.

Proofpoint’s researchers, with high confidence, assert that these campaigns’ primary goal was not malware distribution but to filch NTLM authentication credentials. This assertion is supported by the discovery of artifacts on the SMB servers indicative of the open-source toolkit Impacket’s usage, a tool not commonly associated with standard SMB server operations. The presence of a default NTLM server challenge and GUID further corroborates the specialized nature of this attack.

The stolen NTLM hashes could be leveraged for password cracking, facilitating “Pass-The-Hash” attacks to navigate laterally within an organization’s network, unveiling a myriad of sensitive information. Despite the malicious HTML being delivered in a zip archive—a tactic to bypass certain email client protections—this campaign’s sophistication lies in its execution and the stealthy exfiltration of credentials.

TA577, known for its affiliation with the Qbot botnet and as an initial access broker (IAB), has historically been linked to ransomware infections like Black Basta and, more recently, to delivering Pikabot as an initial payload. The transition to stealing NTLM credentials marks a significant pivot in their modus operandi, reflecting the threat actor’s adaptability and keen understanding of the cyber threat landscape.