Sunday, September 8, 2024
HomeCyber AttackTA558 Hackers Compromised 320+ Organizations' FTP & SMTP Servers

TA558 Hackers Compromised 320+ Organizations’ FTP & SMTP Servers

Published on

TA558, a financially motivated threat actor identified in 2018, is targeting several countries but with utmost priority in Latin America.

Over 320 attacks have been observed from this particular threat actor, which involve using various tools and malware and compromising legitimate FTP servers and SMTP Servers.

Among the 320 attacks, 45 of them were targeted on Mexico, 38 over Colombia and 26 over Chile.

- Advertisement - EHA

The sectors of interest seem to be the Industrial sector (22%), Service sector (16%), and Public sector (16%).

In addition, the threat actor has also been using Steganography techniques with images and text files.

TA558 Hackers Compromised 320+ Organizations

The threat actor used the compromised SMTP servers to send phishing emails to victims and also utilized the same SMTP servers for C2 infrastructure. 

Phishing email (Source: Positive Technologies)

Some of the SMTP servers used by this threat actor were found to have public directories that contained Malware logs of Stolen data.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

The log files contained combined logs of credentials from well-known browsers, email accounts, and remote access credentials. 

Moreover, these credentials belonged to regular users, public institutions, and various businesses.

In the initial phases of the investigation, researchers discovered an XLAM file in a phishing email from a compromised SMTP server.

When the attachment is opened with Excel, an EXE file named “packedtpodododod.exe” was downloaded from a C2 URL using the Excel macros.

File opened and a GET request is sent (Source: Positive Technologies)

In addition, an RTF file was identified on the same C2 server alongside another EXE file, which is the exploit file for CVE-2017-11882.

When the final EXE file is downloaded and run, the final payload of the relevant malware, say AgentTesla, then uploads exfiltrated data to the C2 via FTP.

VB script file (Source: Positive Technologies)

Further analysis revealed that the threat actor was using multiple malware families such as AgentTesla, Remcos, XWorm, LokiBot, Guloader, Formbook and SnakeKeylogger.

Attack Scenarios

Two attack scenarios were identified by the threat actor. One involves using an Excel document and steganography, and the other involves a Microsoft Word document.

Among these attack scenarios, the attack using an Excel document was the main scenario, which starts with a phishing email sent to the victim from the compromised SMTP server containing a malicious file “Cerere de cotatie.xla”.

When this file is opened, two requests are made to the C2 server for downloading a DOC and an RTF.

Once the RTF file is downloaded, another VBS file is downloaded from a paste[.]ee server.

File from past[.]ee server (Source: Positive Technologies)

Following this, the VBS file proceeds to download and decode two image files that contain a base64 encoded malicious string that points to the next-stage payload.

The VBS file contains a PowerShell script to decode this base64 encoded string and proceeds to download the next-stage payload.

Image with encoded string (Source: Positive Technologies)

Finally, the AgentTesla malware runs on the system which checks the execution environment.

Further, it also checks if the victim’s IP address is real. If these checks are successful, the malware proceeds to steal data from browsers, email clients, and remote access services and uploads it to the C2 server using FTP.

However, the second attack variant involving a Microsoft Word document has a similar methodology, but it does not use steganography techniques using images.

Instead, it directly downloads the AgentTesla malware using the RTF document. 

Other variants of the attacks using Remcos, LokiBot, FormBook, Guloader, Snake Keylogger, and XWorm also use the first attack scenario for downloading and executing the malware on the victim system.

Nevertheless, the C2 and download servers differ for every malware and attack variant.

On further investigation, the FTP servers used by the threat actors belonged to legitimate websites that were also compromised for using them as C2 servers for data exfiltration.

There were also several legitimate companies with thousands of followers on social media.

Compromised website for C2 FTP (Source: Positive Technologies)

Furthermore, the indicators of compromise can be viewed on the research blog published by Positive Technologies.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Researchers Unpacked AvNeutralizer EDR Killer Used By FIN7 Group

FIN7 (aka Carbon Spider, ELBRUS, Sangria Tempest) is a Russian APT group that is...

Lazarus Hackers Attacking Job-Seekers to Deliver Javascript Malware

The Lazarus Group is one of the most notorious hacker groups linked to the...