Proofpoint, a security firm has issued a report detailing a new
phishing campaign orchestrated by the threat actor TA577, observed on February 26 and 27, 2024.
This campaign targeted hundreds of organizations worldwide, employing ZIP archive attachments in phishing emails to steal NT LAN Manager (NTLM) hashes. The phishing emails utilized a technique called thread hijacking, appearing as responses to previous communications to increase their success rate. The ZIP attachments contained HTML files designed to contact an actor-controlled Server Message Block (SMB) server. TA577’s objective was to capture NTLMv2 Challenge/Response pairs from this server, allowing them to steal NTLM hashes.
These stolen hashes could then be utilized for pass-the-hash (PtH) type
attacks, granting unauthorized access to valuable data within a network. TA577, known for its sophistication and previously linked to
malware distribution such as QakBot and PikaBot, demonstrated a rapid adoption of new tactics, techniques, and procedures (TTPs). Proofpoint highlighted the group’s agility in adapting to the evolving
cyber threat landscape, continuously refining its tradecraft and delivery methods to bypass detection. The report emphasized the importance for organizations to take proactive measures, recommending the blocking of outbound SMB traffic to prevent exploitation. By denying outbound SMB connections, organizations can mitigate the risk of falling victim to similar attacks.
