The criminal threat group, TA551, has added a new tool to its bag of tricks – a move that may hint at ramped up ransomware attacks ahead, according to researchers. TA551 (aka Shathak) have been mounting cyber attacks that start with email thread hijacking – an increasingly popular tactic in which adversaries insert themselves into existing email conversations.
In one example, seen by researchers, the messages contained password-protected Word documents. Once opened with macros enabled, the attachments lead to the download of Sliver, an open-source, cross-platform adversary simulation.
This demonstrates a significant departure from previous tactics from TA551. Typically, the end goal for TA551 has been to drop an initial-access/banking trojan, which eventually leads to ransomware attacks. Researchers added: “Typically, TA551 use commodity malware like banking trojans. They would compromise victims and broker access to eventually enable the deployment of ransomware. Now with Sliver, they don’t need to rely upon other groups for access – the threat actor is able to break in with much more flexibility, allowing them to push ransomware, steal data or move laterally through the target organisation.”
The move to installing Sliver looks to the increasing use of legitimate threat-hunting and defence tools by cyber criminals, with researchers noting a 161% increase in threat actor use of the Cobalt Strike tool between 2019 and 2020.
Researchers said: “Attackers have never had it better. Whether they need phishing toolsets, obfuscation frameworks, initial access tools, command-and-control (C2) infrastructure, credential-abuse tools or even open-source ransomware payloads, nearly all of these tools can be found for free. Most people assume malicious actors are hiding on the Dark Web, selling tools for Bitcoin to only the shadiest of black hats, but this simply isn’t true.”
Sliver is available for free online, and its capabilities include information-gathering, command-and-control (C2) functionality, token manipulation and process injection, among other features.
It appears that threat actors are using as many legitimate tools as possible, including executing Windows processes like PowerShell and WMI; injecting malicious code into legitimate binaries; and frequently using allowable services like Dropbox, Google Drive, SendGrid, and Constant Contact to host and distribute malware. This is to give them as many opportunities and chances of success. More concerningly for businesses, TA551 is known for widescale, global attacks that cast a big net.
Neuways recommends training your users to spot and report malicious communications received via email. Phishing Awareness Training features simulated attacks which can stop many real-world attacks and help identify people who are especially vulnerable. Additionally by ensuring macros are disabled, then certain payloads deployed by cyber criminals will be unable to be operated. Strong email security is also recommended. Your email security solution should analyse external and internal email, as attackers may use compromised accounts to trick users within the same organisation.