TA422, identified as a Russian advanced persistent threat (APT) group, has been employing a consistent exploitation strategy since March 2023. This group, also known by aliases such as APT28, Fancy Bear, and others, targets a variety of organizations in Europe and North America. Their primary method involves exploiting patched vulnerabilities, particularly targeting sectors like government, aerospace, education, finance, manufacturing, and technology.
Use of CVE-2023-23397: One of their key strategies involves exploiting CVE-2023-23397, a Microsoft Outlook elevation of privilege flaw. This vulnerability allows threat actors to exploit TNEF files and initiate NTLM negotiation, thereby obtaining a hash of a target’s NTLM password. Proofpoint researchers noticed that TA422 targeted higher education, government, manufacturing, and aerospace technology entities, sending over 10,000 emails in high-volume campaigns. This exploit was also used to target Ukrainian entities as early as April 2022.
Exploiting CVE-2023-38831: Another significant vulnerability exploited by TA422 is CVE-2023-38831, a WinRAR remote code execution flaw. The group conducted phishing campaigns using this vulnerability, often using geopolitical events like the BRICS Summit and European Parliament meetings as lures. The emails contained RAR file attachments that exploited this vulnerability to drop a .cmd file, initiating communication with a Responder listener server.
Using Mockbin for Redirection: TA422 also utilized Mockbin, a third-party service, for URL redirection in their phishing campaigns. This method was particularly used to target users in government and defense sectors. The Mockbin URLs were designed to deliver a payload after a series of browser fingerprinting checks. If these checks were passed, the victim was directed to download a ZIP file containing malicious content. In one campaign, they spoofed Microsoft, using a Windows update lure to entice victims.
Strategic Approach and Continued Exploitation of Vulnerabilities: Despite these vulnerabilities being patched, TA422 continues to leverage them, likely in the hope that some targets have not yet applied these patches. This approach highlights the group's reliance on exploiting known flaws to gain initial access to target systems. The group's tactics demonstrate a persistent and methodical approach to cyber espionage and malware distribution.
TA422's activities exemplify the persistent and evolving nature of cyber threats, especially from state-aligned groups, and underscore the importance of prompt patching of known vulnerabilities to prevent exploitation.
IoC
HOSTNAME
- opendocument.infinityfreeapp.com
- opendoc.infinityfreeapp.com
- downloadingf.infinityfreeapp.com
- downloaddoc.infinityfreeapp.com
DOMAIN
- webhook.site
IPv4
- 89.96.196.150
- 50.173.136.70
SHA256
- ed56740c66609d2bbd39dc60cf29ee47743344a9a6861bee7c08ccfb27376506
- ec64b05307ad52f44fc0bfed6e1ae9a2dc2d093a42a8347f069f3955ce5aaa89
REFERENCES
- https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week
- https://otx.alienvault.com/pulse/656f30c505e8b346f16b150f
TAGS
cve202323397, mockbin, et exploit, winrar, powershell, pawn storm
No comments:
Post a Comment