Dangerous TA866 malware returns with devious new phishing campaign

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

After a nine month hiatus, the infamous TA866 threat actor is back, a new report from cybersecurity researchers Proofpoint has claimed, having recently observed a large phishing campaign targeting people in North America.

As per its report, Proofpoint says TA866 sent “several thousand emails” with subjects such as “Project achievements”, and similar. 

The emails carried a PDF attachment with names like “Document_[10 digits].prf” and similar. These documents contained a OneDrive URL which, if clicked, launched a multi-step infection chain that ultimately deployed a variant of the WasabiSeed malware.

Organized actor

This malware downloads and runs additional payloads, including the Screenshotter custom toolset. Screenshotter, as the name suggests, takes screenshots of the compromised desktop and sends them to the command & control (C2) server. Should the attackers like what they see on the screenshots, they would proceed to deliver additional payloads. The researchers are unsure which malware that would be, but said that in previous campaigns, the attackers dropped AHK Bot and Rhadamanthys Stealer.

Proofpoint attributed the campaign to TA866 due to the similarities it had to another campaign by the threat actor, observed in March last year. In both examples, the researchers claim, the TA571 spam service was used, the WasabiSeed downloader was delivered, and the Screenshotter script was ultimately deployed. There are some notable changes compared to the March campaign, though. For example, the group decided to use PDF attachments with OneDrive links, which wasn’t previously the case. Earlier campaigns used macro-enabled Publisher attachments, or 404 TDS URLs, directly in the email body. 

The researchers describe TA866 as an “organized actor able to perform well thought-out attacks at scale”, based on their availability of custom tools, and the ability to acquire additional tools from other threat actors (such as the spam tool from TA571). The group runs both crimeware and cyberespionage campaigns, the researchers further elaborated, saying that this specific campaign was financially motivated. The recipients of the phishing emails were not named. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.