Albabat is a Rust-written ransomware family that spreads via rogue downloads (fake Windows activators and game cheats), encrypts user files with a .abbt extension, and drops ransom notes while attempting to stop key processes and services. FortiGuard Labs docuā¦
Tag: EDR
Cloud-native development expands both the attack surface and the corresponding detection surface because resources are API-defined and provisioned rapidly, creating telemetry that must be properly interpreted. Security teams need to map cloud telemetry (contaiā¦
Star Blizzard is a Russia-backed spear-phishing operation, formerly known as SEABORGIUM, that targets academia, defense, government, NGOs, and think tanks with highly personalized social engineering. It uses fake email and social media profiles, deceptive evenā¦
Kuiper is a Go-based ransomware marketed as an easy-to-use, cross-platform kit by RobinHood, with a plan to offer operational help for a commission and a planned double-extortion leak site. Researchers uncovered that the sales hype overstated capabilities, andā¦
What happenedĀ
Proofpoint researchers identified the return of TA866 to email threat campaign data, after a nine-month absence. On January 11, 2024, Proofpoint blocked a large volume campaign consisting of several thousand emails targeting North America. Invoice-themed emails had attached PDFs with names such as āDocument_[10 digits].pdfā and various subjects such as āProject achievementsā.Ā The PDFs contained OneDrive URLs that, if clicked, initiated a multi-step infection chain eventually leading to the malware payload, a variant of the WasabiSeed and Screenshotter custom toolset.Ā
Screenshot of an email with an attached PDF.Ā
If the user clicked on the OneDrive URL inside the PDF, they were:Ā
Served a JavaScript file hosted on OneDrive.Ā
The JavaScript, if run by the user, downloaded and ran an MSI file.Ā Ā
The MSI file executed an embedded WasabiSeed VBS script.Ā
The WasabiSeed VBS script then downloaded and executed a second MSI file as well as continued polling for additional payloads in a loop. The additional payloads are currently unknown.Ā Ā
Finally, the second MSI file contained components of the Screenshotter screenshot utility which took a screenshot of the desktop and sent it the C2.Ā
Attack chain summary: Email > PDF > OneDrive URL > JavaScript > MSI / VBS (WasabiSeed) > MSI (Screenshotter).
The attack chain was similar to the last documented email campaign using this custom toolset observed by Proofpoint on March 20, 2023. The similarities helped with attribution. Specifically, TA571 spam service was similarly used, the WasabiSeed downloader remained almost the same, and the Screenshotter scripts and components remained almost the same. (Analyst Note: While Proofpoint did not initially associate the delivery TTPs with TA571 in our first publication on TA866, subsequent analysis attributed the malspam delivery of the 2023 campaigns to TA571, and subsequent post-exploitation activity to TA866.)Ā
One of the biggest changes in this campaign from the last observed activity was the use of a PDF attachment containing a OneDrive link, which was completely new. Previous campaigns typically used macro-enabled Publisher attachments or 404 TDS URLs directly in the email body.Ā
Screenshot of āTermServ.vbsā WasabiSeed script whose purpose is to execute an infinite loop, reaching out to C2 server and attempting to download and run an MSI file (empty lines were removed from this script for readability).Ā
Screenshot of āapp.jsā, one of the components of Screenshotter. This file runs āsnap.exeā, a copy of legitimate IrfanView executable, (also included inside the MSI) to save a desktop screenshot as āgs.jpgā.Ā
Screenshot of āindex.jsā, another Screenshotter component. This code is responsible for uploading the desktop screenshot āgs.jpgā to the C2 server.Ā
AttributionĀ
There are two threat actors involved in the observed campaign. Proofpoint tracks the distribution service used to deliver the malicious PDF as belonging to a threat actor known as TA571. TA571 is a spam distributor, and this actor sends high volume spam email campaigns to deliver and install a variety malware for their cybercriminal customers.Ā
Proofpoint tracks the post-exploitation tools, specifically the JavaScript, MSI with WasabiSeed components, and MSI with Screenshotter components as belonging to TA866. TA866 is a threat actor previously documented by Proofpoint and colleagues in [1][2] and [3]. TA866 is known to engage in both crimeware and cyberespionage activity. This specific campaign appears financially motivated.Ā
Proofpoint assesses that TA866 is an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools, and ability and connections to purchase tools and services from other actors.Ā
Why it mattersĀ
The following are notable characteristics of TA866ās return to email threat data:Ā
TA866 email campaigns have been missing from the landscape for over nine months (although there are indications that the actor was meanwhile using other distribution methods)Ā Ā
This campaign comes at a time when Proofpoint is also observing other actors return from traditional end-of year holiday breaks, and thus the overall threat landscape activity increasingĀ
This campaign attempted to deliver WasabiSeed downloader and Screenshotter payloads. It is currently unknown what follow-on payload the actor would install if they were satisfied with the screenshots taken by the Screenshotter. In previous campaigns the actor has delivered AHK Bot and Rhadamanthys StealerĀ
The evolution in the attack chain such as use of new PDF attachments is also notable.Ā
ReferencesĀ
[1] https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-meĀ
[2] https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emailsĀ
[3] https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/Ā
Example Emerging Threats signaturesĀ
2043239 – ET MALWARE WasabiSeed Backdoor Payload Request (GET)Ā
2852922 – ETPRO MALWARE Screenshotter Backdoor Sending Screenshot (POST)Ā Ā
Indicators of compromiseĀ
IndicatorĀ Ā
DescriptionĀ
hxxps[:]//onedrive.live[.]com/download?resid=720FBFD017217E31%21118&authkey=!ACD7ldpnneZUBtc&a=[4 or more random letters]Ā
URL inside PDFĀ
bdb0b6f52b51d989c489c3605a1534c9603ffb7a373654f62fd6f3e3599341fbĀ
SHA256 of the Document.js hosted on the OneDrive URLsĀ
Ā hxxp[:]//37[.]1.212.198//md.msiĀ
JavaScript Downloading MSIĀ
8277dff37fb068c3590390ca1aa6b96fd8b4f93757d5070f68ee8894e37713b1Ā
SHA256 of ms.msiĀ
c9329007524b3da130c8635a226c8cbe3a4e803b813f5b2237ed976feb9d2c8dĀ
SHA256 of WasabiSeed script TermServ.vbs contained inside ms.msiĀ Ā
hxxp[:]//193[.]233.133.179/[C: Drive Serial Number]Ā
WasabiSeed C2Ā
19938b8918b09852ee8d27a7cc2991ba2eb110f27ce25e70fffde932a74e6a6dĀ
SHA256 of MSI payload (Screenshotter) downloaded by WasabiSeedĀ
8b35b21b52780d39ea7832cb918533be7de5b6682cbeffe37797ba92a92aa368Ā
SHA256 of āindex.jsā Screenshotter componentĀ
6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdcĀ
SHA256 of āsnap.exeā Screenshotter component (legitimate IrfanView)Ā
aec5bf19e72ed577b0a02cffeb4f5cc713ab4478267ce348cf337b508f2fcadeĀ
SHA256 of āapp.jsā Screenshotter componentĀ
hxxp[:]//193[.]233.133.179:80/screenshot/[C: Drive Serial Number]Ā
Screenshotter C2Ā
DarkGate uses a multi-stage AutoIt-based loader chain to install its malware starting from malicious PDFs that deliver CAB and MSI components, followed by obfuscated AutoIt scripts and payload decryption. The write-up covers the loader flow, four execution phaā¦
Microsoft observed a technically mature Mint Sandstorm (PHOSPHORUS) subgroup targeting high-profile academics and researchers involved in Middle Eastern affairs across Belgium, France, Gaza, Israel, the UK, and the US, using bespoke phishing lures and social eā¦
Securonix Threat Research analyzes how legitimate RMM tools (Atera, NetSupport, AnyDesk, Splashtop) are abused by threat actors to maintain stealthy command-and-control, persistence, and file transfers that lead to ransomware and data theft. The article outlinā¦
This blog delves into the Phemedrone Stealer campaign’s exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware’s payload.
macOS infostealers KeySteal, Atomic InfoStealer, and CherryPie continue to evolve, evading static signatures and expanding distribution methods. The article details how each family persists, hides its actions, and yields actionable indicators for threat hunterā¦
Volexity discovered active exploitation of two chained zero-day vulnerabilities in Ivanti Connect Secure that enabled unauthenticated remote code execution and full compromise of VPN appliances. The attackers used the flaws to deploy webshells, modify firmwareā¦
Sysdig researchers built an automated WAF fuzzer (Wafer) that used PortSwigger XSS payloads and Selenium-driven interaction to discover that AWS WAF failed to block payloads leveraging the experimental DOM event onbeforetoggle. The team reported the issue to Aā¦
Securonix tracked a financially motivated campaign dubbed RE#TURGENCE that brute forced exposed MSSQL servers to gain access, then used xp_cmdshell to run encoded PowerShell downloaders, deploy Cobalt Strike and AnyDesk, harvest credentials, move laterally, anā¦
CyFirma examines Silver RAT, a Windows-based tool built to bypass AV, log keystrokes, encrypt data, destroy restore points, and run hidden processes. It traces the developer ecosystem around Anonymous Arabic, including Telegram channels and underground forums,ā¦
Qakbot has resurfaced after the “Duck Hunt” disruption and is being delivered via phishing emails that drop malicious PDFs and an MSI installer containing a patched IDM DLL with the malware. The campaign unpacks a memory-loaded second-stage using VirtualAlloc/ā¦