HQ/EMEAFind out how we can help your business
The cybercriminal operations by the new TA866 threat group have targeted organisations in the United States and Germany. This newly discovered threat group is seemingly a financially motivated one that analyses its target’s environment before executing its campaign.
Based on reports, the new cybercriminal operators have already been active since October last year. Their primary targets are organisations in the United States, but they are gradually shifting their focus to German firms.
The TA866 threat group has used malicious Publisher files attached to emails.
In the first two months of the TA866 threat group, they targeted a few companies with malicious emails that contained compromised Publisher files.
Their campaign frequency dwindled last month, but the number of emails they deployed increased further, leading to the targeting of numerous organisations.
Furthermore, researchers have recorded that the group deployed numerous malicious emails in Germany between December and January, indicating that the group has taken an interest in attacking German organisations.
Experts claimed that the TA866 threat group works in a particular time zone where other Russian actors usually operate. Hence, the group might have originated from Russia. Moreover, another characteristic of this group is that they wanted their campaigns to have a multi-step attach process that includes manual intervention.
Their campaign starts with a phishing email launched to a target that likely utilises thread hijacking and contains PDF documents laden with malicious URLs, MS Publisher attachments with compromised macros, or URLs redirecting to negative [.]pub files.
Once a target clicks the lure, their device’s system will be compromised, and the operation will execute the attack process. Subsequently, the process will download a custom malware called WasabiSeed or Screenshotter on the victim’s device.
These malware strains steal screenshots and information related to the Active Directory inside the target’s machine. Next, the malware sends the stolen details to an attacker-controlled server.
Sometimes, these attackers scan details and download the AHK Bot and another stealer.
Experts recommend that organisations should implement a proactive approach to cybersecurity. Additionally, firms should train their employees to identify and report potentially harmful emails and other suspicious activities.
