Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus

July 30, 2024, 4:31 p.m.

Description

F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishing campaigns, malware distribution, and advanced social engineering techniques, including steganography to conceal malicious payloads within images and encoded text files. The group leveraged legitimate compromised SMTP servers and created email accounts masquerading as legitimate organizations to distribute malicious emails with malware such as Agent Tesla and Remcos.

External References

https://www.facct.ru/blog/ta558/
https://otx.alienvault.com/pulse/66a90ca6796260d3686ab946
Tags
malware
phishing
social engineering
russia
belarus
remcos
steganography
CVE-2017-11882
agent tesla
2024-07-30

Date

  • Created: July 30, 2024, 3:54 p.m.
  • Published: July 30, 2024, 3:54 p.m.
  • Modified: July 30, 2024, 4:31 p.m.

Indicators

  • fda7e2d7a3ee70355988afc70ee4d6ebf08b76ef38f4504aa1cf5f8fa9a99b2e
  • eecb89aaf97fa8333c2c56c16e3905b2b2764271d7f7944bc71a8aba64d2906c
  • ea17ccf4bf55f23b8a93f8e17e470be440211f463d5b7e01958843c8c160f765
  • e2ee9ac33c1e07a99f8cc6044f0a7b830e892fbfbfd7d6e8db916707e9c34035
  • d5e214f3096564dfc3e348b6a3ac6aeefed75d785ac7cfab5d3019f67fdbc9be
  • c0e49a1256f7e6b66607f2440219ce5e684bd591fc1fb7c64b90e9b9218374a9
  • bc46b7b44928f6ad586d787db33f53ed962aab72441a5518efb3e971d36a40e2
  • a2d5c106ced87a5771490d95bc20c385f8ae49f7e8448b2e68a3c6bf0d96d03b
  • 91a14852328b337a5aa1046bc7f92448f2c0a3c2ec5a8a76729de68521fa2a39
  • 8d12cfdb1376c99139b8dba94a0c02357bf7652b763d6313d70dde912266905f
  • 6b19f6c758c0b626d1319314e9679d55701e156a9642409e8899a1e7d6a20026
  • 89eb53096ec6248185c7797c802d1bd9b539097f01592bfe5f9e183d753d20ce
  • 4d97a5069b154b2e95af235dd32c82c1bf5b2e4cf2d188067da223f488ebaa48
  • 55f02d8a8f8fe958eeb020593b48d25c86238bd2a7746b9c7b7e4afa9e88c315
  • 4cc7a5fe2d2ffafda3791f0e9cced8f7fe430b598551c2a9277210e87e6df53b
  • 383ee0319fade807fd02f12a92d4f2b98ba7137f27212b996f3cc9bd88f278ac
  • 32562e2a917d9827d3f24ac715a6af7468d627594c90126641349d25b735234f
  • 295aef7c1199c1f1ed7d487694e977ec858c5819140ed09808e175fcc49472f0
  • 18b8e4782b590141ff10ecde5b76bd1e35d99890a517741ac71408a478a56a81
  • 110502c15e51f07fe6aff0b0a28d128d60a1eb51df09a2b9fb2db0775fe92f28
  • 0f9a81081fd7ff58c83c78bcfa4735556fd3ad823f917fe28787085f2d309336
  • 079de6fa0a294bbab99ca481e03e5d0360cdfae1ab41ffd7cc37a92d7bcc25a1
  • 041c9c4e5242464f8661c6f611da14041447b368e7ff669e5de89e9f805ba486
  • 75.102.51.237
  • 70.34.197.128
  • 45.79.137.187
  • 45.74.19.84
  • 45.56.102.63
  • 185.236.228.95
  • 216.9.224.70
  • 139.144.212.135
  • 213.142.149.158
  • www.metabaseq.com
  • www.autosmtp.com
  • https://www.autosmtp.com
  • https://www.metabaseq.com/ta588/
  • https://cyble.com/blog/threat-actor-employs-powershell-backed-steganography-in-recent-spam-campaigns/
  • http://tt.vg/IsjCX
  • http://tt.vg/PqPsi
  • http://tau.id/ze87s
  • http://tau.id/y3kre
  • http://tau.id/c9izr
  • http://tau.id/34x8c
  • http://tau.id/0vzd8
  • http://l-to.com/ru7285wa
  • http://qr-in.com/HDYwZbx
  • http://shtu.be/e79171
  • http://139.144.212.135/sbi/microsoftupdationgoingformicrftofficeupgradingtonewmsofficeprotoecoltoreducethesystemwrking.doc.
  • http://isols.co/zXTgU
  • http://en0.de/serverrrrr
  • http://139.144.212.135/222/GST.xn--txt-to0a
  • export@bcmsrll.com
  • info@bcmsrll.com
  • expo@bcmsrll.com
  • contact@bcmsrll.com
  • biatr.ooguy.com
  • withheldforprivacy.com
  • vervo.lat
  • qr-in.com
  • shtu.be
  • pluse-tr.com
  • naft-dz.shop
  • midae.com
  • maximum.icu
  • laceys.icu
  • l-to.com
  • isols.co
  • executivesship.com
  • bcmsrll.com
  • baltictransline.store
  • bsmsrll.com
  • abspedition.icu
  • automaxtool.me
  • akcalogistics.shop
Download all indicators here!

Attack Patterns

  • Agent Tesla - S0331
  • Remcos
  • TA558
  • CVE-2017-11882

Additional Informations

  • Finance
  • Government
  • Belarus
  • Russian Federation