In phishing emails, the threat actor known as TA577 has been spotted stealing NT LAN Manager (NTLM) hashes by using ZIP archive attachments.
Enterprise security firm Proofpoint stated in a report released on Monday that the new attack chain” can be used for sensitive information gathering purposes and to enable follow-on activity.”
On February 26, 2024, at least two campaigns, according to the company, took advantage of this strategy. The phishing waves targeted hundreds of organizations all over the world and distributed thousands of messages.
In an effort to boost the success of the attacks, the messages themselves appeared as responses to earlier emails using a technique known as thread hijacking.
An HTML file that is intended to contact an actor-controlled Server Message Block ( SMB) server comes with the ZIP attachments, which are the most popular delivery methods.
According to the company, “TA577’s goal is to steal NTLMv2 Challenge/Response pairs from the SMB server in order to steal NTLM hashes,” which could then be used for pass-the-hath ( PtH ) attacks.
In order to authenticate a session in a network and gain unauthorized access to valuable data, adversaries who are in possession of a password hash do n’t need the underlying password.
One of the most sophisticated cybercrime organizations is TA577, which overlaps with a Trend Micro activity cluster known as Water Curupira. In the past, it has been linked to the distribution of malware families like QakBot and PikaBot.
According to Proofpoint,” the rate at which TA577 adopts and distributes new tactics, techniques, and procedures ( TTPs ) suggests the threat actor likely has the time, resources, and experience to quickly iterate and test new delivery techniques.”
Additionally, it noted that the threat actor was acutely aware of the shifts in the landscape of cyber threats and was working quickly to improve and modify its methods of delivery to avoid detection and drop a variety of payloads. To stop exploitation, organizations are highly advised to block outbound SMB.