Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

TA577 Now Focusing on NT LAN Manager Authentication Theft

Proofpoint Spots Recent Changes in Cyber Tactics for Black Basta-Affiliated Group
TA577 Now Focusing on NT LAN Manager Authentication Theft
Image: Shutterstock

A cyber threat actor is shifting tactics from conventional malware delivery to a targeted focus on acquiring NT LAN Manager authentication information to potentially collect sensitive data and perform other malicious actions.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

Proofpoint researchers uncovered the group TA577 orchestrating at least two campaigns over two days - Feb. 26-27. The group employed thread hijacking, disguising messages as replies to previous emails and attaching zipped HTML files tailored for each recipient.

The campaigns included tens of thousands of messages that targeted hundreds of organizations globally.

The attachments trigger a system connection attempt to an external Server Message Block server. TA577 sought to obtain NTLMv2 Challenge/Response pairs from the SMB server to acquire NTLM hashes for potential password cracking or "pass the hash" attacks within specific organizations.

The use of the open-source toolkit Impacket on SMB servers allows TA577 to maintain persistence and evade detection. Attempting to connect to these SMB servers could potentially jeopardize NTLM hashes and expose additional sensitive details, such as computer names, domain names and usernames in plain text.

Proofpoint recommends blocking outbound SMB connections and patching Outlook mail clients to mitigate the attack.

Prominent cybercrime threat actor TA577, previously linked to ransomware strains such as Black Basta, recently transitioned to employing Pikabot as its initial payload.

The unprecedented move into NTLM theft last week suggests the threat actor has the time, resources and experience to rapidly iterate and test new delivery methods. This adaptability allows TA577 to stay ahead of detection mechanisms and increase the effectiveness of its payload delivery, researchers said.

Proofpoint researchers also noted an uptick in the number of threat actors abusing file URI schemes and directing recipients to external file shares for malware delivery.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.