Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus
July 30, 2024, 4:31 p.m.
Tags
External References
Description
F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishing campaigns, malware distribution, and advanced social engineering techniques, including steganography to conceal malicious payloads within images and encoded text files. The group leveraged legitimate compromised SMTP servers and created email accounts masquerading as legitimate organizations to distribute malicious emails with malware such as Agent Tesla and Remcos.
Date
Published: July 30, 2024, 3:54 p.m.
Created: July 30, 2024, 3:54 p.m.
Modified: July 30, 2024, 4:31 p.m.
Indicators
fda7e2d7a3ee70355988afc70ee4d6ebf08b76ef38f4504aa1cf5f8fa9a99b2e
eecb89aaf97fa8333c2c56c16e3905b2b2764271d7f7944bc71a8aba64d2906c
ea17ccf4bf55f23b8a93f8e17e470be440211f463d5b7e01958843c8c160f765
e2ee9ac33c1e07a99f8cc6044f0a7b830e892fbfbfd7d6e8db916707e9c34035
d5e214f3096564dfc3e348b6a3ac6aeefed75d785ac7cfab5d3019f67fdbc9be
c0e49a1256f7e6b66607f2440219ce5e684bd591fc1fb7c64b90e9b9218374a9
bc46b7b44928f6ad586d787db33f53ed962aab72441a5518efb3e971d36a40e2
a2d5c106ced87a5771490d95bc20c385f8ae49f7e8448b2e68a3c6bf0d96d03b
91a14852328b337a5aa1046bc7f92448f2c0a3c2ec5a8a76729de68521fa2a39
8d12cfdb1376c99139b8dba94a0c02357bf7652b763d6313d70dde912266905f
6b19f6c758c0b626d1319314e9679d55701e156a9642409e8899a1e7d6a20026
89eb53096ec6248185c7797c802d1bd9b539097f01592bfe5f9e183d753d20ce
4d97a5069b154b2e95af235dd32c82c1bf5b2e4cf2d188067da223f488ebaa48
55f02d8a8f8fe958eeb020593b48d25c86238bd2a7746b9c7b7e4afa9e88c315
4cc7a5fe2d2ffafda3791f0e9cced8f7fe430b598551c2a9277210e87e6df53b
383ee0319fade807fd02f12a92d4f2b98ba7137f27212b996f3cc9bd88f278ac
32562e2a917d9827d3f24ac715a6af7468d627594c90126641349d25b735234f
295aef7c1199c1f1ed7d487694e977ec858c5819140ed09808e175fcc49472f0
18b8e4782b590141ff10ecde5b76bd1e35d99890a517741ac71408a478a56a81
110502c15e51f07fe6aff0b0a28d128d60a1eb51df09a2b9fb2db0775fe92f28
0f9a81081fd7ff58c83c78bcfa4735556fd3ad823f917fe28787085f2d309336
079de6fa0a294bbab99ca481e03e5d0360cdfae1ab41ffd7cc37a92d7bcc25a1
041c9c4e5242464f8661c6f611da14041447b368e7ff669e5de89e9f805ba486
75.102.51.237
70.34.197.128
45.79.137.187
45.74.19.84
45.56.102.63
185.236.228.95
216.9.224.70
139.144.212.135
213.142.149.158
www.metabaseq.com
www.autosmtp.com
https://www.autosmtp.com
https://www.metabaseq.com/ta588/
https://cyble.com/blog/threat-actor-employs-powershell-backed-steganography-in-recent-spam-campaigns/
http://tt.vg/IsjCX
http://tt.vg/PqPsi
http://tau.id/ze87s
http://tau.id/y3kre
http://tau.id/c9izr
http://tau.id/34x8c
http://tau.id/0vzd8
http://l-to.com/ru7285wa
http://qr-in.com/HDYwZbx
http://shtu.be/e79171
http://139.144.212.135/sbi/microsoftupdationgoingformicrftofficeupgradingtonewmsofficeprotoecoltoreducethesystemwrking.doc.
http://isols.co/zXTgU
http://en0.de/serverrrrr
http://139.144.212.135/222/GST.xn--txt-to0a
export@bcmsrll.com
info@bcmsrll.com
expo@bcmsrll.com
contact@bcmsrll.com
Attack Patterns
Agent Tesla - S0331
Remcos
TA558
CVE-2017-11882
Additional Informations
Finance
Government
Belarus
Russian Federation