I spotted this one through Mastodon, and it seems like TA866 uses some infrastructure from other TA numbers, more specificly 571.
What made this interesting in this write up, is the fact they are using one drive links to download other MSI files and scripts.
The oone drive links were from within the PDF itself. If the person followed the link, they were:
- Served a JavaScript file hosted on OneDrive.
- The JavaScript, if run by the user, downloaded and ran an MSI file.
- The MSI file executed an embedded WasabiSeed VBS script.
- The WasabiSeed VBS script then downloaded and executed a second MSI file as well as continued polling for additional payloads in a loop. The additional payloads are currently unknown.
- Finally, the second MSI file contained components of the Screenshotter screenshot utility which took a screenshot of the desktop and sent it the C2.
The good news is that when served these things, the user had to run them, it didn’t run by itself. But the subject lines within the email were your typical convincing ones like invoice (10 digits) or some other similar type of lure.
Under the attribution section, they say that two different groups are behind this, and I suspect that this won’t be the first time we see this type of collaberation this year in reports.
For full details, please read Security Brief: TA866 Returns with a Large Email Campaign and make it a great day!
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.