According to cybersecurity firm Proofpoint, the cybercriminal group known as TA551 has demonstrated a significant shift in tactics with the inclusion of the open-source pentest tool Sliver to its arsenal.
Proofpoint has been tracking TA551 as a criminal threat actor since 2016. Other security firms refer to it as Shathak. TA551 acquires access to stolen mails or hacked email accounts – commonly known as thread hijacking – which it exploits in email campaigns to disseminate malware, according to Proofpoint. Ursnif, IcedID, Qbot, and Emotet were among the malware payloads released by TA551. For ransomware threat actors, this actor serves as an initial access facilitator.
The use of SLIVER by TA551 illustrates the actor's versatility. TA551 would compromise a victim and potentially broker access to enable the deployment of Cobalt Strike and eventually ransomware as an established initial access broker exploiting initial access via email threat campaigns. SLIVER allows TA551 actors to obtain rapid access to victims and engage with them, giving them more direct capabilities for execution, persistence, and lateral mobility. This could eliminate the need for secondary access.
Proofpoint has discovered that their banking trojan-based operations have resulted in ransomware attacks. Proofpoint examines with a high level of certainty. In 2020, TA551 IcedID implants were linked to the Maze and Egregor ransomware attacks.
Proofpoint discovered emails that seemed to be answers to prior conversations but included password-protected compressed Word documents on October 20, 2021. Sliver, an open-source, cross-platform adversary simulation, and red team platform are downloaded from the attachments. The activity differed significantly from the strategies, techniques, and processes used in TA551. When a victim opens the zipped attachment, they are routed to a Microsoft Word document with macros. SLIVER is downloaded if macros are enabled.
Information collection, command and control (C2) functionality, token manipulation, process injection, and other functions are all available for free online with SLIVER. Cybercrime threat actors are increasingly relying on red teaming techniques. Between 2019 and 2020, for example, Proofpoint saw a 161% rise in threat actors using the red teaming tool Cobalt Strike. Lemon Tree and Veil are two further offensive frameworks that appear to be employed as first-stage payloads by cybercriminals.
Cybercriminals' adoption of Sliver comes only months after US and UK government agencies warned that Russian state-sponsored cyberspy organization APT29 had added the pentest framework to their arsenal. However, the move is unsurprising, as security specialists have long warned of the blurring line between nation-state and cybercriminal activity, with each side adopting strategies from the other to better mask their footprints, or engaging in both sorts of operations.