Skip to content Skip to footer

TA577 Phishing Campaign Targets NTLM Hashes via ZIP Attachments

Recently, a cybercriminal group identified as TA577 has been using a new approach to conducting attacks. The group has been observed using ZIP archive attachments in their emails to steal NT LAN Manager (NTLM) hashes. This new attack chain aims to gather sensitive information and enable follow-on activity. According to a report by Proofpoint, at least two campaigns utilizing this technique were witnessed on February 26 and 27, 2024. These waves targeted hundreds of organizations across the globe, disseminating thousands of messages.

To increase the success rate of their attacks, the group used a technique called “thread hijacking,” where the messages appeared as responses to previous emails. The ZIP attachments and emails contained an HTML file connected to an actor-controlled Server Message Block (SMB) server.

The ultimate objective of TA577 is to capture NTLMv2 Challenge/Response pairs from the SMB server, which can be used for pass-the-hash (PtH) type attacks. This means that even if adversaries do not have the underlying password, they can authenticate a session and gain unauthorized access to valuable data. TA577 is a well-known and sophisticated cybercrime group associated with distributing various families like QakBot and PikaBot in the past.

According to Proofpoint, the rate at which TA577 adopts and distributes new tactics, techniques, and procedures (TTPs) suggests that the group has the resources, experience, and time to rapidly iterate and test new delivery methods. The group is also highly adaptive to the shifts in the cyber threat landscape. It can refine its tradecraft and delivery methods to bypass detection and drop various payloads. As a preventive measure, organizations are advised to block outbound SMB traffic to prevent exploitation.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Shall we play a game?Joshua

Deitasoft © 2024. All Rights Reserved.