Saturday, December 14, 2024
HomeCyber AttackTA558 Hackers Compromised 320+ Organizations' FTP & SMTP Servers

TA558 Hackers Compromised 320+ Organizations’ FTP & SMTP Servers

Published on

SIEM as a Service

TA558, a financially motivated threat actor identified in 2018, is targeting several countries but with utmost priority in Latin America.

Over 320 attacks have been observed from this particular threat actor, which involve using various tools and malware and compromising legitimate FTP servers and SMTP Servers.

Among the 320 attacks, 45 of them were targeted on Mexico, 38 over Colombia and 26 over Chile.

- Advertisement - SIEM as a Service

The sectors of interest seem to be the Industrial sector (22%), Service sector (16%), and Public sector (16%).

In addition, the threat actor has also been using Steganography techniques with images and text files.

TA558 Hackers Compromised 320+ Organizations

The threat actor used the compromised SMTP servers to send phishing emails to victims and also utilized the same SMTP servers for C2 infrastructure. 

Phishing email (Source: Positive Technologies)

Some of the SMTP servers used by this threat actor were found to have public directories that contained Malware logs of Stolen data.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

The log files contained combined logs of credentials from well-known browsers, email accounts, and remote access credentials. 

Moreover, these credentials belonged to regular users, public institutions, and various businesses.

In the initial phases of the investigation, researchers discovered an XLAM file in a phishing email from a compromised SMTP server.

When the attachment is opened with Excel, an EXE file named “packedtpodododod.exe” was downloaded from a C2 URL using the Excel macros.

File opened and a GET request is sent (Source: Positive Technologies)

In addition, an RTF file was identified on the same C2 server alongside another EXE file, which is the exploit file for CVE-2017-11882.

When the final EXE file is downloaded and run, the final payload of the relevant malware, say AgentTesla, then uploads exfiltrated data to the C2 via FTP.

VB script file (Source: Positive Technologies)

Further analysis revealed that the threat actor was using multiple malware families such as AgentTesla, Remcos, XWorm, LokiBot, Guloader, Formbook and SnakeKeylogger.

Attack Scenarios

Two attack scenarios were identified by the threat actor. One involves using an Excel document and steganography, and the other involves a Microsoft Word document.

Among these attack scenarios, the attack using an Excel document was the main scenario, which starts with a phishing email sent to the victim from the compromised SMTP server containing a malicious file “Cerere de cotatie.xla”.

When this file is opened, two requests are made to the C2 server for downloading a DOC and an RTF.

Once the RTF file is downloaded, another VBS file is downloaded from a paste[.]ee server.

File from past[.]ee server (Source: Positive Technologies)

Following this, the VBS file proceeds to download and decode two image files that contain a base64 encoded malicious string that points to the next-stage payload.

The VBS file contains a PowerShell script to decode this base64 encoded string and proceeds to download the next-stage payload.

Image with encoded string (Source: Positive Technologies)

Finally, the AgentTesla malware runs on the system which checks the execution environment.

Further, it also checks if the victim’s IP address is real. If these checks are successful, the malware proceeds to steal data from browsers, email clients, and remote access services and uploads it to the C2 server using FTP.

However, the second attack variant involving a Microsoft Word document has a similar methodology, but it does not use steganography techniques using images.

Instead, it directly downloads the AgentTesla malware using the RTF document. 

Other variants of the attacks using Remcos, LokiBot, FormBook, Guloader, Snake Keylogger, and XWorm also use the first attack scenario for downloading and executing the malware on the victim system.

Nevertheless, the C2 and download servers differ for every malware and attack variant.

On further investigation, the FTP servers used by the threat actors belonged to legitimate websites that were also compromised for using them as C2 servers for data exfiltration.

There were also several legitimate companies with thousands of followers on social media.

Compromised website for C2 FTP (Source: Positive Technologies)

Furthermore, the indicators of compromise can be viewed on the research blog published by Positive Technologies.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...

FBI Seizes Rydox Marketplace, Arrests Key Administrators

The Federal Bureau of Investigation (FBI) announced the seizure of Rydox, an illicit online...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Antidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Researchers discovered a new variant of the AntiDot banking trojan targeting Android mobile devices...

Triad Nexus, Chinese Hackers Using 200,000 Domains For Widespread Cyber Attack

Researchers identified FUNNULL, a Chinese CDN, as hosting malicious content, which includes fake trading...

Malicious ESLint Package Let Attackers Steal Data And Inject Remote Code

Cybercriminals exploited typosquatting to deploy a malicious npm package, `@typescript_eslinter/eslint`, targeting developers seeking the...