Thursday, December 12, 2024
HomeCyber AttackTA558 Hackers Compromised 320+ Organizations' FTP & SMTP Servers

TA558 Hackers Compromised 320+ Organizations’ FTP & SMTP Servers

Published on

SIEM as a Service

TA558, a financially motivated threat actor identified in 2018, is targeting several countries but with utmost priority in Latin America.

Over 320 attacks have been observed from this particular threat actor, which involve using various tools and malware and compromising legitimate FTP servers and SMTP Servers.

Among the 320 attacks, 45 of them were targeted on Mexico, 38 over Colombia and 26 over Chile.

- Advertisement - SIEM as a Service

The sectors of interest seem to be the Industrial sector (22%), Service sector (16%), and Public sector (16%).

In addition, the threat actor has also been using Steganography techniques with images and text files.

TA558 Hackers Compromised 320+ Organizations

The threat actor used the compromised SMTP servers to send phishing emails to victims and also utilized the same SMTP servers for C2 infrastructure. 

Phishing email (Source: Positive Technologies)

Some of the SMTP servers used by this threat actor were found to have public directories that contained Malware logs of Stolen data.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

The log files contained combined logs of credentials from well-known browsers, email accounts, and remote access credentials. 

Moreover, these credentials belonged to regular users, public institutions, and various businesses.

In the initial phases of the investigation, researchers discovered an XLAM file in a phishing email from a compromised SMTP server.

When the attachment is opened with Excel, an EXE file named “packedtpodododod.exe” was downloaded from a C2 URL using the Excel macros.

File opened and a GET request is sent (Source: Positive Technologies)

In addition, an RTF file was identified on the same C2 server alongside another EXE file, which is the exploit file for CVE-2017-11882.

When the final EXE file is downloaded and run, the final payload of the relevant malware, say AgentTesla, then uploads exfiltrated data to the C2 via FTP.

VB script file (Source: Positive Technologies)

Further analysis revealed that the threat actor was using multiple malware families such as AgentTesla, Remcos, XWorm, LokiBot, Guloader, Formbook and SnakeKeylogger.

Attack Scenarios

Two attack scenarios were identified by the threat actor. One involves using an Excel document and steganography, and the other involves a Microsoft Word document.

Among these attack scenarios, the attack using an Excel document was the main scenario, which starts with a phishing email sent to the victim from the compromised SMTP server containing a malicious file “Cerere de cotatie.xla”.

When this file is opened, two requests are made to the C2 server for downloading a DOC and an RTF.

Once the RTF file is downloaded, another VBS file is downloaded from a paste[.]ee server.

File from past[.]ee server (Source: Positive Technologies)

Following this, the VBS file proceeds to download and decode two image files that contain a base64 encoded malicious string that points to the next-stage payload.

The VBS file contains a PowerShell script to decode this base64 encoded string and proceeds to download the next-stage payload.

Image with encoded string (Source: Positive Technologies)

Finally, the AgentTesla malware runs on the system which checks the execution environment.

Further, it also checks if the victim’s IP address is real. If these checks are successful, the malware proceeds to steal data from browsers, email clients, and remote access services and uploads it to the C2 server using FTP.

However, the second attack variant involving a Microsoft Word document has a similar methodology, but it does not use steganography techniques using images.

Instead, it directly downloads the AgentTesla malware using the RTF document. 

Other variants of the attacks using Remcos, LokiBot, FormBook, Guloader, Snake Keylogger, and XWorm also use the first attack scenario for downloading and executing the malware on the victim system.

Nevertheless, the C2 and download servers differ for every malware and attack variant.

On further investigation, the FTP servers used by the threat actors belonged to legitimate websites that were also compromised for using them as C2 servers for data exfiltration.

There were also several legitimate companies with thousands of followers on social media.

Compromised website for C2 FTP (Source: Positive Technologies)

Furthermore, the indicators of compromise can be viewed on the research blog published by Positive Technologies.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center...

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

Hackers Deploy Weaponized LNK Files for Malicious Payload Delivery

Researchers reported a phishing attack on December 4th, 2024, where malicious emails purportedly from...

APT-C-60 Hackers Penetrate Org’s Network Using a Weapanized Google Drive link

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed an advanced cyber...