Tuesday, October 8, 2024
HomeCyber AttackTA547 Hackers Launching AI-Powered Cyber Attacks Targeting Organizations

TA547 Hackers Launching AI-Powered Cyber Attacks Targeting Organizations

Published on

TA547 has been targeting German organizations with an email campaign delivering the Rhadamanthys malware.

Proofpoint has observed TA547 using Rhadamanthys, an information stealer that is utilized by multiple cybercriminal threat actors.

The emails, which impersonated the German retail company Metro, were crafted to appear as if they related to invoices, with subjects like “Rechnung No:31518562” and contained a password-protected ZIP file.

- Advertisement - EHA

The ZIP file included an LNK file that, when executed, triggered PowerShell to run a remote script.

Phishing Email

This script was responsible for decoding a Base64-encoded Rhadamanthys executable file, loading it into memory, and executing it without saving it to disk, a method known for evading traditional file-based detection mechanisms.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

AI-Powered Cyber Attacks

The use of a PowerShell script in the attack chain suggests that TA547 may have employed an AI-powered tool, such as a large language model (LLM), to write or rewrite the script.

This is indicated by the typical output patterns of LLM-generated coding content observed in the script.

The shift from previously favored JavaScript attachments to compressed LNK files in early March 2024 demonstrates TA547’s evolving tactics.

TA547, identified as a financially motivated cybercriminal threat and considered to be an initial access broker (IAB), has historically targeted various geographic regions with different payloads.

Usage of LLM

In 2023, the group predominantly delivered NetSupport RAT but has also been known to distribute other payloads, including StealC and Lumma Stealer, which share similar functionalities with Rhadamanthys.

The recent campaign against German organizations is not an isolated incident.

TA547 has also targeted entities in Spain, Switzerland, Austria, and the U.S., highlighting the group’s broad geographic focus and the potential for widespread impact.

The adoption of AI-powered tools in cyber attacks is a growing concern.

These tools can analyze targets and find techniques most likely to compromise an organization, making attacks highly targeted and difficult to detect with traditional cybersecurity solutions.

The ability of AI-powered attacks to learn and adapt to new defenses poses a significant challenge, as they can bypass known patterns and signatures that cybersecurity solutions typically rely on.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...

Comcast Cyber Attack Impacts 237,000+ Users Personal Data

Comcast Cable Communications LLC has reported that over 237,000 users' data has been compromised....

American Water Works Cyber Attack Impacts IT Systems

American Water Works Company, Inc., a leading provider of water and wastewater services, announced...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...

Comcast Cyber Attack Impacts 237,000+ Users Personal Data

Comcast Cable Communications LLC has reported that over 237,000 users' data has been compromised....