Cybersecurity researchers report a significant change in tactics of a threat group, TA551, in adding the open-source pentest tool Sliver to its arsenal. Also known as Shathak, TA551 is a threat group that distributes malware through a thread hijacking technique, wherein they intrude through compromised email accounts or stolen messages to communicate with victims.
TA551 was discovered to be delivering malware like Qbot, Emotet, Ursnif, and IcedID. They also provide compromised system access for ransomware threat actors.
Furthermore, security researchers noticed a suspicious activity by the TA551 wherein emails pretending to be a reply to email threads are sent out. The emails contain a password-protected Word document attachment that deploys the Sliver framework. Sliver is a free, open-source red teaming tool to conduct threat simulation. It also provides a command-and-control functionality and processes injection and information in harvesting abilities, among others.
In addition to the discoveries, similar to threat group TA551’s tactics, the Sliver-based malware is delivered through malicious email campaigns.
The campaign is dubbed the “Stolen Images Evidence.” It employs emails produced through contact form submissions or different websites wherein a copyright violation is described to the intended victim. Also included in the campaign email’s content is a Google-based URL that claims to show proof of stolen images pertaining to the copyright violation.
The victim’s web browser will receive a zip archive that contains a JavaScript file. Typically, it contains malware like Gozi/ISFB/Ursnif, BazarLoader, and IcedID (Bokbot).
A few months after the US and the UK authorities gathered to warn about APT29 Russian state-sponsored threat group, added the Sliver pentest tool to their arsenal. This movement is not surprising for security researchers since they have long cautioned the industry about the connection between cybercrime and nation-state attacks.
The use of red teaming tools is becoming prevalent among threat actors, as reported by researchers. An example is how the Cobalt Strike, an adversary simulation software, had a 161% surge of cybercrime use from 2019 to 2020.
In conclusion, security researchers noted that TA551’s exploitation of the Sliver pentest tool proves their flexibility as threat actors. TA551 can obtain access and communicate with victims directly, with more opportunities to execute persistent attacks and perform lateral movement.
