Threat Actor TA577/Storm-0464

Ransomware affiliate journal, Ransomware Groups 2 Minutes

TA577(Proofpoint)/Storm-0464(Microsoft) is a prominent cybercrime(affiliate) threat actor.

Role In RaaS economy: Initial access provider

Targets: Americas and Europe

Loader’s Used for initial access:

  1. Qakbot: One of the primary payloads used by the group. It’s used to deploy ransomware.
  2. SquirrelWaffle Loader: Another payload distributed by the group, which is also used by attackers to deploy ransomware.
  3. Pikabot: In February 2023, they started distributing Pikabot.
  4. DarkGate: After takedown of Qakbot ,in September 2023, they started using DarkGate in their initial access campaigns.
  5. IcedID: Along with DarkGate, they also started using IcedID in their initial access campaigns in September 2023.
  6. Additionally, group has deployed payloads like SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.

Ransomware Deployment/Infections by the group

  1. Storm-0506 that deploys Blackbasta, previously storm-0506 used to deploy conti.
  2. Sodinokibi

Recent Activity

  • In February 2023, group started distributing Pikabot.
  • In September 2023, they began leveraging DarkGate and IcedID in their initial access campaigns.
  • On January 25, 2024, they started distributing a new version of Qakbot through a phishing email campaign.
  • On September 28, 2023, they shifted to distributing DarkGate malware after takedown of Qakbot’s infrastructure.
  • In 2020, they leveraged Qakbot infections leading to ransomware deployment by various groups.

Latest activity

Attack Chain and Objective as observed in recent activity by Proofpoint:

  • Proofpoint identified TA577 using a new attack chain to achieve an uncommonly observed objective: stealing NT LAN Manager (NTLM) authentication information.
  • This activity allows the threat actor to gather sensitive information and potentially enable follow-on attacks.
  • At least two campaigns leveraging this technique were observed, targeting hundreds of organizations globally.
  • The attack involved sending messages as replies to previous emails (known as thread hijacking) and containing zipped HTML attachments.
  • When recipients opened these attachments, they triggered a system connection attempt to an external Server Message Block (SMB) server owned by the threat actor.
  • The goal was to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes.
  • These stolen hashes could be exploited for password cracking or used in “Pass-The-Hash” attacks within the targeted organization.
  • The use of open-source toolkit Impacket on the SMB server was identified, indicating the threat actor’s intentions.
  • Disabling guest access to SMB does not mitigate the attack, as the file must authenticate to the external SMB server to determine if it should use guest access.

    Published by OSINT DJ

    I am an information security professional, who loves to travel and spend time with family and friends.

    Published

    Leave a comment