NEWS

Proofpoint, a security firm has issued a report detailing a new phishing campaign orchestrated by the threat actor TA577, observed on February 26 and 27, 2024.

This campaign targeted hundreds of organizations worldwide, employing ZIP archive attachments in phishing emails to steal NT LAN Manager (NTLM) hashes. The phishing emails utilized a technique called thread hijacking, appearing as responses to previous communications to increase their success rate. The ZIP attachments contained HTML files designed to contact an actor-controlled Server Message Block (SMB) server. TA577’s objective was to capture NTLMv2 Challenge/Response pairs from this server, allowing them to steal NTLM hashes.

These stolen hashes could then be utilized for pass-the-hash (PtH) type attacks, granting unauthorized access to valuable data within a network. TA577, known for its sophistication and previously linked to malware distribution such as QakBot and PikaBot, demonstrated a rapid adoption of new tactics, techniques, and procedures (TTPs). Proofpoint highlighted the group’s agility in adapting to the evolving cyber threat landscape, continuously refining its tradecraft and delivery methods to bypass detection. The report emphasized the importance for organizations to take proactive measures, recommending the blocking of outbound SMB traffic to prevent exploitation. By denying outbound SMB connections, organizations can mitigate the risk of falling victim to similar attacks.

In summary, the TA577 phishing campaign observed in February 2024 employed ZIP archive attachments to steal NTLM hashes, utilizing thread hijacking techniques to increase effectiveness. The stolen hashes were intended for pass-the-hash attacks, enabling unauthorized access to network data. Proofpoint advised organizations to block outbound SMB traffic to mitigate the risk of exploitation, highlighting TA577’s agility in adopting new TTPs.