Sunday, May 19, 2024

TA547 Hackers Launching AI-Powered Cyber Attacks Targeting Organizations

TA547 has been targeting German organizations with an email campaign delivering the Rhadamanthys malware.

Proofpoint has observed TA547 using Rhadamanthys, an information stealer that is utilized by multiple cybercriminal threat actors.

The emails, which impersonated the German retail company Metro, were crafted to appear as if they related to invoices, with subjects like “Rechnung No:31518562” and contained a password-protected ZIP file.

The ZIP file included an LNK file that, when executed, triggered PowerShell to run a remote script.

Phishing Email

This script was responsible for decoding a Base64-encoded Rhadamanthys executable file, loading it into memory, and executing it without saving it to disk, a method known for evading traditional file-based detection mechanisms.

Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

AI-Powered Cyber Attacks

The use of a PowerShell script in the attack chain suggests that TA547 may have employed an AI-powered tool, such as a large language model (LLM), to write or rewrite the script.

This is indicated by the typical output patterns of LLM-generated coding content observed in the script.

The shift from previously favored JavaScript attachments to compressed LNK files in early March 2024 demonstrates TA547’s evolving tactics.

TA547, identified as a financially motivated cybercriminal threat and considered to be an initial access broker (IAB), has historically targeted various geographic regions with different payloads.

Usage of LLM

In 2023, the group predominantly delivered NetSupport RAT but has also been known to distribute other payloads, including StealC and Lumma Stealer, which share similar functionalities with Rhadamanthys.

The recent campaign against German organizations is not an isolated incident.

TA547 has also targeted entities in Spain, Switzerland, Austria, and the U.S., highlighting the group’s broad geographic focus and the potential for widespread impact.

The adoption of AI-powered tools in cyber attacks is a growing concern.

These tools can analyze targets and find techniques most likely to compromise an organization, making attacks highly targeted and difficult to detect with traditional cybersecurity solutions.

The ability of AI-powered attacks to learn and adapt to new defenses poses a significant challenge, as they can bypass known patterns and signatures that cybersecurity solutions typically rely on.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.


Latest articles

Hackers Exploiting Docusign With Phishing Attack To Steal Credentials

Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make...

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles