Researchers at security firm Proofpoint uncovered a sophisticated phishing campaign orchestrated by the notorious threat actor known as TA577. The group has adopted a new tactic involving ZIP archive attachments in phishing emails, with the specific objective of pilfering NT LAN Manager (NTLM) hashes.
The novel attack chain is designed not only for stealing NTLM hashes but also for potentially collecting sensitive information and facilitating subsequent malicious activities. Researchers identified at least two separate campaigns employing this technique on February 26 and 27, 2024. These campaigns targeted hundreds of organizations globally, sending out tens of thousands of deceptive messages.
One of the notable characteristics of these phishing emails is the use of thread hijacking, wherein they appear as replies to previous legitimate emails. The messages contain zipped HTML attachments, which, upon extraction, execute the malicious code. Any permitted connection attempt to the Server Message Block (SMB) servers could lead to the compromise of NTLM hashes, exposing other critical information such as computer names, domain names, and usernames in plaintext.
Notably, TA577 employed a specific method to bypass certain security measures. By delivering the malicious HTML within a ZIP archive, the threat actor aimed to generate a local file on the victim's host. Interestingly, sending the file scheme URI directly in the email body wouldn't work on Outlook mail clients patched since July 2023.
Disabling guest access to SMB servers does not offer mitigation, as the file must still attempt authentication to the external SMB server to determine access privileges, the researchers noted.
TA577, previously known for its affiliation with the notorious Qbot botnet, has established itself as a significant cybercrime threat actor. Proofpoint links TA577 campaigns to ransomware campaigns, including the notorious Black Basta operation. More recently, TA577 has shown a preference for Pikabot as an initial payload.
Proofpoint researchers have also observed an uptick in multiple threat actors abusing file scheme URIs to direct recipients to external file shares like SMB and WebDAV for malware delivery. To counter such threats, organizations are advised to block outbound SMB traffic to prevent exploitation.
