Cybersecurity researchers at Proofpoint have uncovered a new tactic employed by cybercriminal threat actor TA577, shedding light on a lesser-seen objective in their operations.
The group was found utilizing an attack chain aimed at stealing NT LAN Manager (NTLM) authentication information. This method could potentially be exploited for sensitive data gathering and facilitating further malicious activities.
In an analysis published earlier today, the Proofpoint team identified at least two campaigns conducted by TA577 on February 26 and 27 2024 employing this technique.
These campaigns targeted hundreds of organizations globally, sending out tens of thousands of messages. The messages were designed to appear as replies to previous emails, a tactic known as thread hijacking, and contained zipped HTML attachments.
Each attachment had a unique file hash, and the HTML files within were tailored to specific recipients. Upon opening, these files initiated a connection attempt to a Server Message Block (SMB) server via a meta refresh to a file scheme URI ending in .txt. This connection was designed to reach an external SMB resource controlled by the threat actor, aiming to capture NTLM hashes.
Proofpoint’s analysis did not detect any malware delivery from these URLs. Instead, researchers concluded that TA577’s objective was to capture NTLMv2 challenge/response pairs to steal NTLM hashes, based on the characteristics of the attack chain and tools used.
The stolen NTLM hashes could potentially be exploited for password cracking or to facilitate “Pass-The-Hash” attacks within targeted organizations. Indicators suggest the use of the open-source toolkit Impacket on the SMB servers, a practice uncommon in standard SMB environments.
Read more on Pass-The-Hash attacks: Microsoft Fixes Two Zero-Day Bugs Used in Attacks
It’s worth noting that the delivery method used by TA577 – employing a malicious HTML file within a zip archive – is specifically designed to bypass security measures. Even disabling guest access to SMB does not mitigate the attack, as the file attempts to authenticate to the external SMB server.
“Proofpoint researchers have also seen an increase in multiple threat actors abusing file scheme URIs to direct recipients to external file shares such as SMB and WebDAV to access remote content for malware delivery,” Proofpoint warned. “Organizations should block outbound SMB to prevent exploitation identified in this campaign.”