Using filenames such as Invoice_891042.xls, zbetcheckin_tracker_Invoice_952068.xls and Reciept 19129475.xlsb (sic), the maldocs dropped CryptOne-packed Beacon loaders, Dridex, and VBA downloaders used as part of an MSHTA attack chain. In addition, malicious Excel® documents were found to be using GlobalSign by GMO and QuickBook s lures to dupe targets into enabling macros. These loaders were configured to communicate with recently deployed team servers already under observation.
Around this time, a mass spam campaign pumping fake Kaseya VSA phishing lures was observed by Trustwave and Malwarebytes, containing attachments embedded with CryptOne-packed Cobalt Strike Beacon loaders.īlackBerry researchers discovered that many of the loaders were signed using a self-signed certificate named MZJVESLENZVLRPQFZD, with an internal filename of Mightywill.QA.CrashReport.exe. This occurred while phishing campaigns were again targeting healthcare and municipal county offices in the US, as well as broader targets across South Korea. Starting in early July 2021, TA575 deployed a fresh batch of team servers and began hosting Dridex and maldocs alongside Cobalt Strike Beacons. However, the cyber-criminal group seems to have favored the now-defunct PowerShell Empire post-exploitation framework at the time, and did not deploy related team servers again until the Qakbot campaign in late February. Notably, a single team server was deployed as far back as August 2020, when TA575 conducted a prior Dridex campaign. Once activated, the macro-enabled documents would deploy Beacon and Qakbot payloads via an MSHTA attack chain.įigure 2: TA575 Cobalt Strike team server deployments by month (tracking unique IP/ports) This lure was designed to trick the recipient into enabling macros, as shown in the image below. The phishing emails contained malicious document attachments that would display a convincing DocuSign-based lure when opened. It was ultimately responsible for deploying Qakbot in a targeted attack against healthcare, municipal county offices and law firms in the U.S. The first campaign to leverage the team server infrastructure began in late February. The following information is presented as a timeline of this threat actor’s activities and expansion of its malicious use of Cobalt Strike Beacons.
We hope that the insights and indicators in this report may prove beneficial to analysts, researchers, and investigators in providing attribution as well as correlation with past and present TA575 Cobalt Strike activity. Furthermore, since not all team servers are being used for high-profile Dridex or Qakbot phishing campaigns, the association between Cobalt Strike Beacon and TA575 may not always be immediately apparent during investigations. We are sharing this intelligence with the community because many of TA575’s Cobalt Strike team servers remain unattributed, and several have yet to be fully operationalized. They also provide indicators that can be used to fine-tune our threat detection capabilities. They are related to several distinct campaigns targeting healthcare, government, and legal verticals in the U.S.įurther unravelling of the network infrastructure has proved invaluable for tracking campaigns, as they yield domain names for associated IPs that are registered in advance of deployment (via DGA). BlackBerry researchers have observed thousands of beacon loaders packaged in this manner, usually dropped as part of malicious document attack chains. The internal filenames within the version information are either Mightywill.QA.CrashReport.exe or simply Opera. Prior to deployment, the beacon payloads associated with TA575 team servers tend to be packed using CryptOne and signed using one of several self-signed code-signing certificates. In more recent offensives, such as the Fake Kaseya VSA phishing campaign first reported by Trustwave in early July, the team server infrastructure was used for staging further Dridex payloads. Portions of this infrastructure have been used by thousands of Cobalt Strike “Beacons” and malicious document stagers across several distinct malspam campaigns. These servers use unique values in their configurations that have allowed our researchers to identify disparate infrastructure that had previously been flying under the radar. Since February 2021, TA575 have deployed over 50 Cobalt Strike team servers. They are well-known for conducting mass spam campaigns that use malicious document lures to deliver malware such as Dridex, Qakbot, and WastedLocker. The BlackBerry® Research & Intelligence team has been tracking and monitoring Cobalt Strike team servers associated with the threat actor TA575, a financially motivated cybercrime group and prolific Dridex affiliate.