Last week, two different threat actors teamed up to send thousands of post-holiday-break phishing emails destined for North American organizations.
Other than volume, the campaign was fairly standard fare.
What's more interesting, perhaps, is the timing of the campaign - and the relationship of the perpetrators behind it.
To the more interesting point, the main culprit, which Proofpoint tracks as TA866, was nearly silent for nine months prior.
Its co-conspirator, TA571, seems to have been offline during the winter break.
After enjoying some hot chocolates and holiday cheer, the former threat actor used the latter threat actor to successfully deliver its low-grade malicious content on a mass scale.
Spammers Team up with Traffic Distributors TA866 has been active since at least October 2022.
In its first few weeks of operation it was relatively tame, sending only a limited number of emails to a small number of organizations.
By the end of 2022, the group started linking to the URLs of malicious content via traffic distribution systems.
TDSes are an increasingly popular middleman of the cyber underground, connecting phishers to malicious content providers and filtering the victim traffic in between for maximum profit.
Just as quickly as it made this switch, TA866's campaigns exploded to thousands of emails per go-around.
It seems to be sticking with that formula, as this latest campaign utilizes TA571's TDS to distribute the malicious PDFs. TA866 isn't TA571's only partner-in-crime, though.
It has become clear that BattleRoyal, too, was making use of TA571's services.
Previous TA866 campaigns involved the Rhadamanthys stealer, a Dark Web offering used for nabbing crypto wallets, Steam accounts, passwords from browsers, FTP clients, chat clients, email clients, VPN configurations, cookies, files, and more.
Major Threat Actors Take a Holiday Besides the TDS partnerships, the timing of last week's attack may also reflect something deeper about today's cybercrime underground.
Just as surely as Mariah Carey can be heard on the radio right around the turn of winter every year, the cybersecurity community raises warning flags about incoming holiday attacks.
Emotet used to be the best example for this, regularly dropping off in December through mid-January.
Larson also notes that in some parts of the world, the holiday season extends deeper into January than it does in the US. In other words, the more serious threat actors who took Christmas off may just be getting back online around now.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 18 Jan 2024 22:50:04 +0000