TA4903 Phishing Campaigns Evolve, Targets US Government

Written by

The TA4903 group has been observed engaging in extensive spoofing of both US government agencies and private businesses across various industries.

While primarily targeting organizations within the United States, TA4903 occasionally extends its reach globally through high-volume email campaigns. The overarching objective of these campaigns, as reported by Proofpoint in a new advisory published today, is the theft of corporate credentials, infiltration of mailboxes and subsequent business email compromise (BEC) activities.

Starting in December 2021, Proofpoint began observing a series of campaigns spoofing federal US government entities. These campaigns, later attributed to TA4903, initially posed as the US Department of Labor before masquerading as other government departments in subsequent years. 

Notably, from mid-2023 through 2024, there was a surge in credential phishing and fraud campaigns by TA4903, targeting small and medium-sized businesses (SMBs) across diverse industries such as construction, manufacturing, energy, finance and food and beverage.

The modus operandi of TA4903 involves using various tactics, techniques and procedures (TTPs) to execute its operations. For instance, the actor is known to employ PDF attachments containing embedded links or QR codes which lead to government-branded phishing websites. 

Read more on similar techniques: PDF Malware on the Rise, Used to Spread WikiLoader, Ursnif and DarkGate

In 2023, Proofpoint observed TA4903 adopting new tactics, including using lure themes referencing confidential documents and ACH payments. Notably, the actor expanded its activities by utilizing HTML attachments or zipped HTML attachments, indicative of a significant shift in its approach.

The threat actor’s evolution also included the deployment of EvilProxy, a reverse proxy multifactor authentication (MFA) bypass toolkit, although its usage declined later in 2023. Moreover, TA4903 has ventured into broader distribution of BEC campaigns, departing from its typical email lures and utilizing benign messages to deceive recipients.

Proofpoint researchers have conducted extensive analysis to attribute the threat activity to TA4903. The actor’s consistent attack patterns, including domain construction, email lure content and hosting providers, facilitated this attribution.

“The actor’s recent BEC campaigns that move away from government spoofing and instead purport to be from small and medium-sized businesses have become more frequent,” Proofpoint wrote.

“These campaigns are observed at a higher operational tempo than previously observed government spoofing or other credential theft campaigns. It is possible the actor’s techniques have shifted as a result of the efficacy of such campaigns, or it is just a temporary change in the overall TTPs.”

According to the Proofpoint advisory, organizations must remain vigilant and implement robust security protocols to thwart such threats effectively. A list of indicators of compromise (IoC) is available in the technical write-up.

What’s hot on Infosecurity Magazine?