The cybercriminal group tracked as TA551 recently showed a significant change in tactics with the addition of the open-source pentest tool Sliver to its arsenal, according to cybersecurity firm Proofpoint.
Also referred to as Shathak, TA551 is an initial access broker known for the distribution of malware through thread hijacking – a technique where the adversary gains access to compromised email accounts or stolen messages to make contact with its victims.
Previously, the cybercrime group was observed delivering malware such as Emotet, IcedID, Qbot, and Ursnif, as well as providing ransomware operators with access to the compromised systems.
Earlier this week, Proofpoint noticed that the adversary started sending out emails that pretended to be replies to previous conversations and which contained as attachments password-protected, archived Word documents.
These attachments, Proofpoint says, ultimately led to the deployment of the Sliver framework, an open-source red teaming tool for adversary simulation. The tool, developed by offensive security assessment firm Bishop Fox, provides command and control (C&C) functionality, process injection and information harvesting capabilities, and more, and is available for free.
According to Brad Duncan, security researcher and handler at the SANS Institute’s Internet Storm Center, just as Proofpoint raised the alarm on TA551’s shift in tactics, Sliver-based malware started being delivered as part of a malicious email campaign he has been tracking for months.
Named “Stolen Images Evidence”, the campaign employs emails generated via contact form submissions on various websites, “describing a copyright violation to the intended victim,” Duncan explains. A Google-based URL included in the message body claims to offer proof of stolen images leading to that violation.
A zip archive that contains a JavaScript file is delivered to the victim’s web browser, aiming to deliver malware such as BazarLoader, Gozi/ISFB/Ursnif, and IcedID (Bokbot). Starting Wednesday, October 20, Sliver-based malware is being employed, Duncan says.
The adoption of Sliver by cybercriminals comes just a few months after government agencies in the U.S. and the U.K. warned that Russian state-sponsored cyberspy group APT29 (aka the Dukes, Cozy Bear and Yttrium) added the pentest framework to their arsenal.
The move, however, is not surprising, as security researchers have long warned of the blurred line between nation-state and cybercriminal activities, with each side adopting tactics from the other, to better hide their tracks, or engaging in both types of operations.
According to Proofpoint, the use of red teaming tools among cybercriminals is becoming increasingly popular, with Cobalt Strike registering a 161% surge in threat actor use between 2019 and 2020. Cybercriminals are also using offensive frameworks such as Lemon Tree and Veil.
“TA551’s use of Sliver demonstrates considerable actor flexibility. […] With Sliver, TA551 actors can gain direct access and interact with victims immediately, with more direct capabilities for execution, persistence, and lateral movement. This potentially removes the reliance on secondary access,” Proofpoint notes.
Related: US-UK Gov Warning: SolarWinds Attackers Add Open-Source PenTest Tool to Arsenal
Related: Ransomware Attacks Linked to Chinese Cyberspies
Related: Cyberspies Delivered Malware to Gamers via Supply Chain Attack
