Since October, a threat actor has been impersonating governmental agencies in phishing emails designed to infect American, German and Italian organizations with various forms of malware, including the Cobalt Strike backdoor, Maze ransomware and the IcedID banking trojan.
Business and IT services, manufacturing companies, and healthcare organizations make up a large share of the targets in this operation, said a blog post today from Proofpoint, which calls the group TA2101. In many cases, the emails are sent from addresses that are made to look authentic at first glance, only they end in the .icu top-level domain.
The Proofpoint Threat Insight Team observed TA2101 campaigns targeting German on Oct. 16 and 23, and then again on Nov. 6, during which time the actor pretended to be the Bundeszentralamt fur Steuern, aka the German Federal Ministry of Finance. The adversary sent hundreds of emails with lures designed to entice recipients into opening Word documents containing malicious macros. These macros executed a PowerShell script that delivered Cobalt Strike, a legitimate attack simulation tool that in the wrong hands can be used as actual malware.
The October emails, aimed largely at IT services companies, falsely claimed that recipients were due to receive a tax refund, and instructed them to open the Word doc to fill out a refund request form.
The Nov. 6 emails similarly targeted business and IT services companies. In this instance, however, the attached documents were disguised as an RSA SecureID key, but actually contained macros that delivered Maze ransomware. One day later, TA2101 sent out even more emails, except instead of impersonated the Federal Ministry of Finance, the attackers pretended to be the ISP 1&1 Internet AG.
Phishing activity targeting Italian organizations, especially manufacturing companies, took place on Oct. 29. For this scam, TA2101 emailed dozens of prospective victims a notification of law enforcement activities that purportedly came from Agenzia Entrate, the Italian Ministry of Taxation and threatened recipients with financial penalties. Again, opening the attached Word doc would trigger the embedded macros to install Maze.
The most recent campaign referenced in the blog post took place on Nov. 12 and zeroed in on American organizations. These emails, which used a uspsdelivery-service.com domain instead of .icu, seemed to come from the U.S. Postal Service and again appeared to include a Word document with an RSA SecurID key. Opening the document this case caused the macros to deliver the IcedID banking trojan.
“Proofpoint researchers have observed a consistent set of TTPs… that allows attribution of these campaigns to a single actor with high confidence. These include the use of .icu domains, as well as identical email addresses for the Start of Authority (SOA) resource records stored for the DNS entries for the domains used in these campaigns,” wrote Proofpoint researcher and blog post author Bryan Campbell. The SOA email addresses, firstname.lastname@example.org, is also linked campaigns that attempted to spread Buran ransomware in September.”
“Additionally, Proofpoint researchers have observed that the canonical URLs used by this actor are formatted in a repeatable fashion with word_/.tmp in the string with slight variations made over time,” the blog post continued. “Proofpoint researchers suspect that the word_/.tmp usage might be linked to previous campaigns that were spotted earlier by the infosec community in 2019.”