The threat actor identified as TA866 has re-emerged after a nine-month hiatus, launching a large-scale phishing campaign to distribute known malware families like WasabiSeed and Screenshotter. The campaign, discovered by Proofpoint in January 2024, involved sending thousands of invoice-themed emails with decoy PDF files to targets in North America. The PDFs contained OneDrive URLs, triggering a multi-step infection chain leading to the deployment of WasabiSeed and Screenshotter. TA866, previously associated with the Screentime campaign, seems to be financially motivated, with Screenshotter acting as a reconnaissance tool to identify high-value targets. The recent attack chain is similar to previous ones, with a switch from macro-enabled Publisher attachments to PDFs with rogue OneDrive links.
TA571, a spam distributor, collaborated with TA866 in this campaign, distributing booby-trapped PDFs. TA571 is known for delivering various malware, including AsyncRAT, NetSupport RAT, IcedID, PikaBot, QakBot (Qbot), and DarkGate. DarkGate, a malware-as-a-service tool, has been active since 2017 and is used by a limited number of attack groups. The resurgence of TA866 comes amid evolving phishing tactics, including a novel evasion tactic that exploits the caching mechanism of security products. By incorporating a Call To Action (CTA) URL pointing to a trusted website in phishing emails, attackers can wait for the security vendor to process the URL and cache their benign verdict, then alter the link to redirect to the intended phishing page without reprocessing by security engines.