TA866 Resurfaces with New Large-Scale Invoice Phishing Campaign

After a hiatus of nine months, the threat actor known as TA866 has returned, launching an extensive phishing campaign aimed at delivering well-known malware strains such as WasabiSeed and Screenshotter. The campaign, which was observed in early January and thwarted on January 11, 2024, involved the dissemination of thousands of invoice-themed emails across North America, each containing decoy PDF files.

The PDFs, when opened, revealed OneDrive URLs that triggered a multi-step infection process, ultimately leading to the deployment of a variant of the WasabiSeed and Screenshotter custom toolset, according to insights from the enterprise security firm. TA866, initially documented in February 2023 during the Screentime campaign, utilizes WasabiSeed as a Visual Basic script dropper to download Screenshotter. The latter is capable of capturing regular desktop screenshots, forwarding the data to a domain controlled by the threat actor.

Evidence suggests that TA866 may be financially motivated, as Screenshotter functions as a reconnaissance tool to identify high-value targets for subsequent exploitation. It also deploys an AutoHotKey (AHK)-based bot, ultimately delivering the Rhadamanthys information stealer.

In June 2023, cybersecurity firm discovered overlaps between TA866’s Screentime campaign and another intrusion set named Asylum Ambuscade, a crimeware group involved in cyber espionage since at least 2020.

The recent attack chain, although largely unchanged, has shifted from macro-enabled Publisher attachments to PDFs containing rogue OneDrive links. The campaign leverages a spam service provided by TA571 for distributing booby-trapped PDFs. TA571, identified as a spam distributor, conducts high-volume spam email campaigns to install various malware types for cybercriminal customers, including AsyncRAT, NetSupport RAT, IcedID, PikaBot, QakBot (aka Qbot), and DarkGate.

DarkGate, a malware first appearing in 2017 and sold as Malware-as-a-Service, enables attackers to perform various malicious activities such as information theft, cryptocurrency mining, and execution of arbitrary programs. Its recent use in multiple campaigns has been detected by Splunk, which notes the incorporation of DarkGate via malicious PDF files acting as carriers for MSI installers.

The resurgence of TA866 coincides with Cofense’s revelation that shipping-related phishing emails, predominantly targeting the manufacturing sector, are spreading malware like Agent Tesla and Formbook. Furthermore, a novel evasion tactic has been identified, exploiting security product caching mechanisms to bypass detection. This tactic involves incorporating a Call To Action (CTA) URL pointing to a trusted website in phishing messages, exploiting security vendors’ caching systems and disproportionately impacting financial services, manufacturing, retail, and insurance sectors globally.

Protecting against phishing campaigns like TA866 involves employee education and robust email security measures. Conduct regular phishing awareness training to empower staff to recognize and report suspicious emails. Employ email filtering solutions to detect and block phishing attempts, and implement URL scanning tools to identify malicious links. Organizations should also leverage advanced threat intelligence to stay informed about emerging tactics employed by threat actors.