Sunday, May 19, 2024

TA558 Hackers Compromised 320+ Organizations’ FTP & SMTP Servers

TA558, a financially motivated threat actor identified in 2018, is targeting several countries but with utmost priority in Latin America.

Over 320 attacks have been observed from this particular threat actor, which involve using various tools and malware and compromising legitimate FTP servers and SMTP Servers.

Among the 320 attacks, 45 of them were targeted on Mexico, 38 over Colombia and 26 over Chile.

The sectors of interest seem to be the Industrial sector (22%), Service sector (16%), and Public sector (16%).

In addition, the threat actor has also been using Steganography techniques with images and text files.

TA558 Hackers Compromised 320+ Organizations

The threat actor used the compromised SMTP servers to send phishing emails to victims and also utilized the same SMTP servers for C2 infrastructure. 

Phishing email (Source: Positive Technologies)

Some of the SMTP servers used by this threat actor were found to have public directories that contained Malware logs of Stolen data.

Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

The log files contained combined logs of credentials from well-known browsers, email accounts, and remote access credentials. 

Moreover, these credentials belonged to regular users, public institutions, and various businesses.

In the initial phases of the investigation, researchers discovered an XLAM file in a phishing email from a compromised SMTP server.

When the attachment is opened with Excel, an EXE file named “packedtpodododod.exe” was downloaded from a C2 URL using the Excel macros.

File opened and a GET request is sent (Source: Positive Technologies)

In addition, an RTF file was identified on the same C2 server alongside another EXE file, which is the exploit file for CVE-2017-11882.

When the final EXE file is downloaded and run, the final payload of the relevant malware, say AgentTesla, then uploads exfiltrated data to the C2 via FTP.

VB script file (Source: Positive Technologies)

Further analysis revealed that the threat actor was using multiple malware families such as AgentTesla, Remcos, XWorm, LokiBot, Guloader, Formbook and SnakeKeylogger.

Attack Scenarios

Two attack scenarios were identified by the threat actor. One involves using an Excel document and steganography, and the other involves a Microsoft Word document.

Among these attack scenarios, the attack using an Excel document was the main scenario, which starts with a phishing email sent to the victim from the compromised SMTP server containing a malicious file “Cerere de cotatie.xla”.

When this file is opened, two requests are made to the C2 server for downloading a DOC and an RTF.

Once the RTF file is downloaded, another VBS file is downloaded from a paste[.]ee server.

File from past[.]ee server (Source: Positive Technologies)

Following this, the VBS file proceeds to download and decode two image files that contain a base64 encoded malicious string that points to the next-stage payload.

The VBS file contains a PowerShell script to decode this base64 encoded string and proceeds to download the next-stage payload.

Image with encoded string (Source: Positive Technologies)

Finally, the AgentTesla malware runs on the system which checks the execution environment.

Further, it also checks if the victim’s IP address is real. If these checks are successful, the malware proceeds to steal data from browsers, email clients, and remote access services and uploads it to the C2 server using FTP.

However, the second attack variant involving a Microsoft Word document has a similar methodology, but it does not use steganography techniques using images.

Instead, it directly downloads the AgentTesla malware using the RTF document. 

Other variants of the attacks using Remcos, LokiBot, FormBook, Guloader, Snake Keylogger, and XWorm also use the first attack scenario for downloading and executing the malware on the victim system.

Nevertheless, the C2 and download servers differ for every malware and attack variant.

On further investigation, the FTP servers used by the threat actors belonged to legitimate websites that were also compromised for using them as C2 servers for data exfiltration.

There were also several legitimate companies with thousands of followers on social media.

Compromised website for C2 FTP (Source: Positive Technologies)

Furthermore, the indicators of compromise can be viewed on the research blog published by Positive Technologies.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.


Latest articles

Hackers Exploiting Docusign With Phishing Attack To Steal Credentials

Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make...

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles