The TA551 cybercrime group, which has been active for some time and is known for email-based campaigns that deliver the IcedID trojan and other malware, is now running a new campaign that delivers malicious attachments and eventually leads to the download and installation of an open-source adversary emulation platform that’s used in red team operations.
The group is specifically known for its use of a technique that involves compromising email accounts and then inserting messages into existing email threads, making them look like legitimate replies. Those messages carry malicious attachments that in the past have led to infections by IcedID, and sometimes the Maze or Egregor ransomware. TA551 is known to provide initial access for ransomware groups, but the most-recent campaign that researchers at Proofpoint identified this week doesn’t deliver ransomware, but rather the Sliver red-team tool.
Sliver is a platform developed by security firm Bishop Fox and it meant for use in red team operations, and it supports implants on Windows, Linux, and macOS. In the new campaign, the group is inserting messages into existing email threads that contain zip archives that are password protected. Opening the archive will produce a Word document with a number of macros included and prompt the victim to enable macros to see the full contents of the document. Victims who enable macros will then trigger the download of Sliver.
“TA551’s use of SLIVER demonstrates considerable actor flexibility. As an established initial access broker leveraging initial access via email threat campaigns, TA551 would compromise a victim and potentially broker access to enable the deployment of Cobalt Strike and eventually ransomware,” the Proofpoint researchers said.
"Proofpoint assesses with high confidence the new activity could lead to ransomware infections."
“With SLIVER, TA551 actors can gain direct access and interact with victims immediately, with more direct capabilities for execution, persistence, and lateral movement. This potentially removes the reliance on secondary access.”
It’s not unusual for attackers to use legitimate security tools in their operations, and it has become more and more common in the ransomware era. Many ransomware actors use the Cobalt Strike platform as part of their intrusion and exploitation operations, and other red team tools have been seen in intrusions, as well. Many of those tools are freely available and have extensive documentation and support, making them attractive options for attackers.
Though this new campaign by TA551 has not been connected with ransomware yet, that could be in the cards soon.
“The new activity demonstrates a significant departure from the previously observed activity from this group. Proofpoint assesses with high confidence the new activity could lead to ransomware infections,” the researchers said.