The newly-formed hacking group TA2101 impersonates governmental entities in a targeted malspam campaign that delivers Maze ransomware, among other malware
A massive malspam campaign was spotted by Proofpoint security researchers in Germany, Italy, and the United States. Between October 16 and November 12, organizations from healthcare, manufacturing, business, and IT service sectors were observed receiving emails that impersonate governmental agencies and specialize in ransomware, banking trojan, and a backdoor delivery.
As described by security experts from Proofpoint, the threat actor group responsible for the campaign is relatively new in the cybercriminal world – dubbed TA2101:
Proofpoint researchers recently detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware.
The campaign is heavily modified depending on the attack vector – a malicious group sends out targeted emails that include fake tax assessment, tax refund, and similar document attachments that normally are sent by governmental agencies like the German Federal Ministry of Finance, Italian Revenue Agency and the US Postal Service.
One of the tools employed by the group is Cobalt Strike – a commercially licensed application that emulates penetration testing. Despite having numerous legitimate uses, the software was utilized by the infamous hacking groups like Cobalt Group, APT32, and APT19 to carry out malicious attacks on various organizations.
German firms received MS document attachments which loaded Maze ransomware via a PowerShell script
The highly targeted spam campaigns employ various malware payloads designed for different purposes. Nevertheless, the purpose of the attacks seems to be financial gains. Proofpoint pointed out that the emails are specially crafted and written professionally, using various social engineering techniques.
The first campaign that was spotted was targeting German companies. Threat actors impersonated Bundeszentralamt fur Steuern (German Federal Ministry of Finance) entity, use the .icu email domain, and claimed that the user is owed tax refund. The email contained an MS Word attachment that allegedly contained all the needed information about the process of tax retrieval. In some cases, hackers also used the branding and the name of German ISP 1&1 Internet AG.
Once the attachment is opened, the document states that it is only compatible with the previous version of MS Word – a typical tactic used in malspam campaigns. This prompts users to enable macro function, which executes commands via PowerShell, consequently downloading the malicious payload. This campaign mainly targeted German companies and downloaded and executed Maze ransomware on host machines.
Italian users were deceived by allegedly RSA-encrypted documents
On October 29, Proofpoint spotted emails targeting Italian users with a similar scheme – this time, the malicious email came from Agenzia Entrate (the Italian Ministry of Taxation). Similarly to the malspam campaign in Germany, threat actors also used .icu domain for the sender address, but this time claimed that users are being penalized for tax evasion:
The lure appears to be a notification of law enforcement activities (“aggiornamento: attivita di contrasto all'evasione”) and states that the recipient should open and read the enclosed document in order to avoid further tax assessment and penalties.
Instead of relying on the older version file type tactic, the malicious VERDI.doc claimed that it is encrypted by the RSA encryption algorithm and that users need to enable content in order to view the document properly.
Upon clicking “Enable Content,” the malicious attachment ran PowerShell scripts to download and install Maze ransomware. Maze ransomware is currently not decryptable and also has been recently spotted utilizing the Fallout exploit kit for its propagation.
Most recent attacks are directed at the US healthcare providers
The most recent campaign was spotted by researchers on November 12. This time, the number of malicious emails was counted “in thousands” and targeted healthcare organizations across the United States. Malicious actors impersonated US postal service (USPS).
Unlike campaigns targeting Europe, the domain name of the email address was not .icu but rather .com (uspsdelivery-service.com). However, the lure used to allow the malicious content to be executed was identical to the one used in Italy – the document was allegedly encrypted with the RSA SecurID key, which might prompt users to enable the content, consequently launching the sequence the commands that would execute the malicious payload. This time, instead of Maze ransomware, the IcedID banking Trojan was delivered to the affected machines.
To protect yourself against phishing email attacks, trust the warnings – regardless of how legitimate the email might look like, keep in mind that all the logos and the formatting can be easily faked by cybercriminals. Always use caution, and scan the attachments with anti-malware software or upload them to Virus Total, or similar analyzers.