TA866 Returns: Proofpoint Thwarts Massive Email Campaign in North America

After a mysterious nine-month hiatus, the digital underworld witnessed the reemergence of TA866, a formidable threat in the realm of email-based cyber-attacks. This revelation came to light thanks to the researchers at Proofpoint, who, on January 11, 2024, intercepted a large-scale email campaign that specifically targeted North American users. What unfolded was a complex web of deception, leveraging seemingly innocuous invoice-themed emails with attached PDFs named “Document_[10 digits].pdf” and various luring subjects like “Project achievements”.

The campaign’s modus operandi was ingeniously simple yet alarmingly effective. The attached PDFs served as Trojan horses, each containing a OneDrive URL. When clicked, this URL triggered a multi-step infection chain, culminating in the deployment of a malware payload. This wasn’t just any malware; it was a variant of the WasabiSeed and Screenshotter custom toolset, known for its stealth and efficacy.

If the user clicked on the OneDrive URL inside the PDF, they were:

1. The user is served a JavaScript file hosted on OneDrive.
2. If executed, this JavaScript downloads and runs an MSI file.
3. This MSI file then executes an embedded WasabiSeed VBS script.
4. The script not only downloads and runs a second MSI file but also continually polls for additional, yet unknown payloads.
5. The final MSI file comprises components of the Screenshotter utility, which captures a screenshot of the user’s desktop and sends it back to the command and control center (C2).

This attack chain, summarized as “Email > PDF > OneDrive URL > JavaScript > MSI / VBS (WasabiSeed) > MSI (Screenshotter)”, echoes the last documented email campaign using this toolset observed by Proofpoint on March 20, 2023. The similarities in approach facilitated attribution to TA866.

One striking change in this campaign, compared to previous ones, was the use of a PDF attachment containing a OneDrive link – a novel tactic. Past campaigns predominantly utilized macro-enabled Publisher attachments or direct 404 TDS URLs in the email body.

The campaign’s complexity is heightened by the involvement of two distinct threat actors. TA571, identified as a spam distributor, is responsible for disseminating malicious PDFs. Meanwhile, TA866, a more sinister actor known for both crimeware and cyberespionage, handles the post-exploitation tools – the JavaScript, MSI with WasabiSeed components, and the Screenshotter components.

The resurgence of TA866 serves as a stark reminder of the dynamic and evolving nature of cyber threats. It underscores the need for constant vigilance and adaptive cybersecurity strategies.