TA866: A Financially Motivated Group with a Custom Toolset
Category: Threat Actor Activity | Industry: Global | Level: Tactical | Source: Proofpoint
A cluster of financially motivated threat activity targeting organizations in the United States and Germany is being tracked by Proofpoint as threat actor, TA866. Proofpoint researchers report the actor has been active since October 2022, and uses phishing emails to distribute information-stealing malware. TA866's email volume grew steadily from distributing one to two emails on a given day, to tens of thousands by late January 2023. Proofpoint characterizes TA866 as an organized and sophisticated actor capable of performing "well thought-out attacks at scale based on their availability of custom tools; ability and connections to purchase tools and services from other vendors; and increasing activity volumes." TA866's toolset is comprised of AHK Bot to download AutoHotKey scripts, WasabiSeed a malware downloader and installer, Screenshotter a screenshot tool, and Rhadamanthys information-stealing malware. WasabiSeed is periodically checked by the threat actors to evaluate the value of the target, which determines the next steps such as using Screenshotter to capture more screenshots and/or executing the AHK bot to proceed to the next phase of their attack. Comments and variable names in the tools deployed by TA866 are written in the Russian language.
- Malicious Software Download via MSI/JS
Anvilogic Use Cases:
- Wscript/Cscript Execution
- MSIExec Install MSI File
- Suspicious process Spawned by Java