Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus

July 30, 2024, 4:31 p.m.

Tags
malware
phishing
social engineering
russia
belarus
remcos
steganography
CVE-2017-11882
agent tesla
2024-07-30
External References
Description

F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishing campaigns, malware distribution, and advanced social engineering techniques, including steganography to conceal malicious payloads within images and encoded text files. The group leveraged legitimate compromised SMTP servers and created email accounts masquerading as legitimate organizations to distribute malicious emails with malware such as Agent Tesla and Remcos.

Date

Published: July 30, 2024, 3:54 p.m.

Created: July 30, 2024, 3:54 p.m.

Modified: July 30, 2024, 4:31 p.m.

Indicators

fda7e2d7a3ee70355988afc70ee4d6ebf08b76ef38f4504aa1cf5f8fa9a99b2e

eecb89aaf97fa8333c2c56c16e3905b2b2764271d7f7944bc71a8aba64d2906c

ea17ccf4bf55f23b8a93f8e17e470be440211f463d5b7e01958843c8c160f765

e2ee9ac33c1e07a99f8cc6044f0a7b830e892fbfbfd7d6e8db916707e9c34035

d5e214f3096564dfc3e348b6a3ac6aeefed75d785ac7cfab5d3019f67fdbc9be

c0e49a1256f7e6b66607f2440219ce5e684bd591fc1fb7c64b90e9b9218374a9

bc46b7b44928f6ad586d787db33f53ed962aab72441a5518efb3e971d36a40e2

a2d5c106ced87a5771490d95bc20c385f8ae49f7e8448b2e68a3c6bf0d96d03b

91a14852328b337a5aa1046bc7f92448f2c0a3c2ec5a8a76729de68521fa2a39

8d12cfdb1376c99139b8dba94a0c02357bf7652b763d6313d70dde912266905f

6b19f6c758c0b626d1319314e9679d55701e156a9642409e8899a1e7d6a20026

89eb53096ec6248185c7797c802d1bd9b539097f01592bfe5f9e183d753d20ce

4d97a5069b154b2e95af235dd32c82c1bf5b2e4cf2d188067da223f488ebaa48

55f02d8a8f8fe958eeb020593b48d25c86238bd2a7746b9c7b7e4afa9e88c315

4cc7a5fe2d2ffafda3791f0e9cced8f7fe430b598551c2a9277210e87e6df53b

383ee0319fade807fd02f12a92d4f2b98ba7137f27212b996f3cc9bd88f278ac

32562e2a917d9827d3f24ac715a6af7468d627594c90126641349d25b735234f

295aef7c1199c1f1ed7d487694e977ec858c5819140ed09808e175fcc49472f0

18b8e4782b590141ff10ecde5b76bd1e35d99890a517741ac71408a478a56a81

110502c15e51f07fe6aff0b0a28d128d60a1eb51df09a2b9fb2db0775fe92f28

0f9a81081fd7ff58c83c78bcfa4735556fd3ad823f917fe28787085f2d309336

079de6fa0a294bbab99ca481e03e5d0360cdfae1ab41ffd7cc37a92d7bcc25a1

041c9c4e5242464f8661c6f611da14041447b368e7ff669e5de89e9f805ba486

75.102.51.237

70.34.197.128

45.79.137.187

45.74.19.84

45.56.102.63

185.236.228.95

216.9.224.70

139.144.212.135

213.142.149.158

www.metabaseq.com

www.autosmtp.com

https://www.autosmtp.com

https://www.metabaseq.com/ta588/

https://cyble.com/blog/threat-actor-employs-powershell-backed-steganography-in-recent-spam-campaigns/

http://tt.vg/IsjCX

http://tt.vg/PqPsi

http://tau.id/ze87s

http://tau.id/y3kre

http://tau.id/c9izr

http://tau.id/34x8c

http://tau.id/0vzd8

http://l-to.com/ru7285wa

http://qr-in.com/HDYwZbx

http://shtu.be/e79171

http://139.144.212.135/sbi/microsoftupdationgoingformicrftofficeupgradingtonewmsofficeprotoecoltoreducethesystemwrking.doc.

http://isols.co/zXTgU

http://en0.de/serverrrrr

http://139.144.212.135/222/GST.xn--txt-to0a

export@bcmsrll.com

info@bcmsrll.com

expo@bcmsrll.com

contact@bcmsrll.com

biatr.ooguy.com

withheldforprivacy.com

vervo.lat

qr-in.com

shtu.be

pluse-tr.com

naft-dz.shop

midae.com

maximum.icu

laceys.icu

l-to.com

isols.co

executivesship.com

bcmsrll.com

baltictransline.store

bsmsrll.com

abspedition.icu

automaxtool.me

akcalogistics.shop

Download all indicators here!

Attack Patterns

Agent Tesla - S0331

Remcos

TA558

CVE-2017-11882

Additional Informations

Finance

Government

Belarus

Russian Federation