
TAG-124’s high-level infrastructure setup (Source: Recorded Future)
Cybersecurity researchers at Insikt Group have uncovered a multi-layered traffic distribution system (TDS), dubbed TAG-124, which is being leveraged by some of the most notorious cybercriminal groups to distribute malware, phishing pages, and fake browser updates.
The TDS network comprises compromised WordPress websites, actor-controlled payload servers, and a sophisticated management system, allowing cybercriminals to dynamically route traffic to malicious content while evading detection.
“The operators behind TAG-124 show high levels of activity, frequently updating compromised WordPress sites, setting up new servers, and refining TDS-related conditional logic and infection techniques,” the report states.
TAG-124 operates by injecting malicious JavaScript code into compromised WordPress websites. When a user visits an infected site, the code redirects them to a malicious payload, often disguised as a required Google Chrome browser update. In some cases, this TDS has been observed using the ClickFix technique, which involves displaying a dialog box that instructs the user to execute a pre-copied command, leading to the download and execution of malware.
The report highlights the high level of activity associated with TAG-124, noting that the operators frequently update compromised websites, add new servers, and refine their techniques to evade detection.
Insikt Group identified multiple threat actors using TAG-124, including the operators of Rhysida and Interlock ransomware, TA866/Asylum Ambuscade, SocGholish, D3F@CK Loader, TA582, and others. The Rhysida and Interlock ransomware operators, in particular, have been linked through various similarities in their tactics, tools, and code, and the shared use of TAG-124 further strengthens this connection.
The report also provides a detailed analysis of several specific instances of TAG-124 being used to deliver malware. For example, the Rhysida ransomware operators used this TDS to deliver CleanUpLoader, a malware loader that is often used to deploy ransomware. The Interlock ransomware operators also used TAG-124 to deliver CleanUpLoader, further linking the two ransomware families.
The report concludes by noting that TAG-124 is a significant threat due to its widespread use and sophisticated infrastructure. Insikt Group expects that TAG-124 will continue to evolve and attract new users, and that it will remain a significant threat in the cyber threat landscape.
Related Posts:
- Zero-Day Vulnerability: 18 Years of Exploiting the ‘0.0.0.0’ Flaw
- Cybercriminals have been earned over $16 million by distributing ransomware for 2 years
- Trojan Malware Infiltrates Browser Extensions, Impacts 300,000 Users
- New Chrome and Firefox malicious extensions prevent user removal to hijack browsers
- Decoding the Web Injection Malware Campaign of 2023