Keypoints
- From March–November 2023 Proofpoint tracked TA422 using CVE-2023-23397 (Outlook/TNEF → NTLM leak) and CVE-2023-38831 (WinRAR RCE) in phishing campaigns against government, defense, aerospace, education, finance, manufacturing, and technology targets.
- High-volume CVE-2023-23397 campaigns sent thousands of “Test Meeting” appointment emails with TNEF attachments referencing UNC paths that triggered NTLM authentication to attacker-controlled SMB listeners.
- TA422 hosted SMB/Responder listeners on likely compromised Ubiquiti routers and used a Responder-style server (observed at hxxp://89.96.196[.]150:8080) to collect NTLM hashes via 401/WWW-Authenticate NTLM exchanges.
- CVE-2023-38831 RAR attachments dropped .cmd files that modified proxy registry keys, downloaded lure documents, and beaconed to Responder servers; some variants used PowerShell to create RSA keys and SSH to remote hosts.
- Multi-stage web delivery chains used Mockbin for browser fingerprinting and InfinityFree for geo-checks, delivering ZIPs that contained LNKs which sideloaded WindowsCodecs.dll to execute command.cmd and stage further callbacks.
- Payload behavior included benign-looking displays (Europa PDF, fake Windows update progress) to mask background NTLM credential exfiltration and maintain stealth while beacons looped between Mockbin/Mocky/InfinityFree stages.
- Proofpoint published numerous IOCs (UNC SMB shares, IPs, domains, file names and SHA256 hashes) tied to these campaigns and assessed TA422 likely continues exploiting disclosed vulnerabilities where targets remain unpatched.
MITRE Techniques
- None – The article does not reference MITRE ATT&CK technique IDs or technique names explicitly; it describes exploitation via phishing attachments, SMB/NTLM credential capture, web redirect/fingerprinting, and payload sideloading without mapping to specific MITRE Txxxx identifiers.
Indicators of Compromise
- [SMB Share] UNC path context – .UNC50.173.136[.]70melody.wav, .UNC50.173.136[.]70sharesound
- [Email Subjects] phishing lure context – “Test Meeting”, “BRICS Summit— Deepening the Divide”
- [IP / Responder Server] command-and-control / NTLM listener – hxxp://89.96.196[.]150:8080
- [Malicious Domains] redirect/delivery hosts – downloadfile.infinityfreeapp[.]com, opendoc.infinityfreeapp[.]com
- [Files exploiting CVE-2023-38831] attachment examples – brics_summit.rar.zip (e920461b…), bulletin.rar.zip (77cf5efd…), and 1 more hash
- [Payload filenames & hashes] dropped/staged artifacts – CED_Policy_Backgrounder_BRICs_Summit_FINAL.pdf .cmd (6223cc22…), command.cmd (742ba041…), war.zip (ec64b053…), and several additional hashes
For CVE-2023-38831, malicious RAR attachments exploited WinRAR RCE to drop .cmd files that adjusted proxy registry settings, downloaded lure documents, and beaconed to Responder-style servers. The .cmd initiated HTTP connections; the server replied with 401 and a WWW-Authenticate header requesting NTLM, which caused the host to return NTLM information (including base64-encoded host and username) in the Authorization header. Some observed variants used PowerShell to generate keys and attempt SSH logins to attacker-controlled hosts; Proofpoint attributes destination hosts to compromised appliances (e.g., FortiOS, Ubiquiti) based on response headers and certificates.
TA422 also used multi-stage web delivery to stage payloads: Mockbin served browser-fingerprinting PHP that validated User-Agent, renderer, and VM status; successful checks redirected to InfinityFree domains which performed geo-checks and served ZIPs (e.g., news_week_6.zip, war.zip). Those ZIPs contained LNK files that launched a legitimate binary (renamed WINWORD.EXE/calculator) which sideloaded WindowsCodecs.dll to execute embedded command.cmd; command.cmd cleaned up artifacts, displayed a lure (PDF or fake Windows update progress), and looped beacons through stage URLs (Mocky/Mockbin/InfinityFree) to complete staging and callback. These combined techniques enabled credential capture and staged payload execution while minimizing user-visible impact.