Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cobalt Strike Beacon. Show all posts

TA866 Threat Actor: Python Malware Targets Tatar-language Users


Cybersecurity researchers have discovered a new Python malware that has been targeting Tatar language-speaking users. Tatar is a Turkish native language, spoken mostly by Tatars, an ethnic group based in Russia and its neighbouring nations. 

The Cyble-based Python malware is designed such that it can capture screenshots on the targeted systems and transfer them to a remote server through FTP (File Transfer Protocol).

FTP enables files and folders to be transferred from a host (targeted system) to another host via a TCP-based network, like the Internet. 

The threat actors behind the campaign are the notorious TA866, which has a history of targeting Tatar language speakers and utilizing Python malware to conduct their operations. 

How Does TA866 Use Python Malware? 

The Tartar Republic Day coincided with the use of this new Python malware by the threat actor TA866, according to CRIL. Up until the end of August, these attacks coincided with the Tartar Republic Day.

The report claims that the threat actor known as TA866 uses a PowerShell script "responsible for taking screenshots and uploading them to a remote FTP server."

Phishing emails are used by threat actors to select victims for the Python malware attack. These emails have a malicious RAR file encoded within them.

The file includes two innocuous files: a video file and a Python-based executable masquerading as an image file with a dual extension.

  • After being executed, the loader starts a chain of events. It downloads a zip file from Dropbox that contains two PowerShell scripts and an additional executable file.
  • These scripts make it easier to create a scheduled activity that will allow the malicious executable to run.

According to Proofpoint, the threat actor’s operations lead them to a financially motivated activity called “Screentime.” 

TA866 Threat Actors and Their Use of Custom Hacking Tools

The hackers are able to conduct these complex attacks because of their successful attempts to develop their own sophisticated tools and services. Notably, the financially motivated threat actor TA866 has connected similar operations targeting German and American organizations.

CRIL claims that the threat actor infects the victim's computers with the Python tool via the RAR file. However, it must first travel through a chain of infections before it can launch the final payload. This includes making use of Tatar-language filenames to hide. 

The threat actor employs a malicious application that shows the victims a message while covertly running PowerShell scripts to take screenshots and send them to an FTP site. 

The subsequent step of TA866 involves the deployment of further malicious software, which may include the Cobalt Strike beacon, RATs (Remote Access Trojans), stealers, and other harmful programs.

Considering the sophisticated payloads and malware used in the attacks, it can be concluded that it is definitely not a rookie organization, but a group of skilled cybersecurity personnel, including experts in designing advanced malware strains and payloads.  

Malware Campaign Targets Job Seekers With Cobalt Strike Beacons

 



A social engineering campaign is exploiting a years-old remote code execution vulnerability in Microsoft Office to deploy Cobalt Strike beacons and target job seekers. 

According to a report published on Wednesday by Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer, an evidential payload that was discovered, appears to be a leaked version of a Cobalt Strike beacon.

Beacon configuration consists of commands that can be used to inject arbitrary binaries directly into processing queues. A high reputation domain is configured on the beacon, exhibiting the redirection technique to disguise the beacon's traffic.

There have been some malicious activity, discovered a year ago in August 2022, that attempts to exploit the vulnerability CVE-2017-0199, which is a remote code execution vulnerability in Microsoft Office that allows an attacker to take control of an affected system remotely.

Phishing emails, which come from New Zealand's Public Service Association, a trade union based in the country, are one of the entry vectors for the attack, containing a Microsoft Word attachment containing job-related lures for positions in the U.S. government and Public Service Association, an American union. For Cisco Talos, the Cobalt Strike beacons are far from the only malware samples that are being deployed, because the company has also observed that the Redline Stealer and Amadey botnet executables are being used as payloads at the other end of the attack chain to deliver the malware samples.

A cybersecurity expert noted that the attack was highly modularized, adding that Bitbucket repositories were used to host malicious content. As a result of the Bitbucket repositories hosting the malicious content, the attack launched the download of the malware executable that was responsible for installing the Cobalt Strike DLL beacon, a harmful piece of code that attackers could potentially use in the future to exploit the computer.

There are several attack sequences that can be executed in Bitbucket. These involve exploiting the obfuscated VB and PowerShell scripts stored in the repository to deliver an assault script to the beacon, which is hosted from a different Bitbucket account.

"This campaign is a well-known example of how a threat actor employs a technique of generating and executing a malicious script in the system memory of the victim as a means of attacking the system." the researchers said.

"Organizations should be constantly vigilant on the Cobalt Strike beacons and should implement layered defense capabilities to thwart the attacker's attempts at the earliest stage in the infection chain so as to thwart the attack's progress."