After a nine-month sabbatical, a cyber espionage group has returned to the scene, targeting organizations across North America with infected PDF documents.
Proofpoint cybersecurity firm announced the return of the threat group codenamed TA866 on January 18th, with an email campaign that sent thousands of messages with the infected files attached to targets.
Proofpoint says it blocked the campaign one week ago, preventing the culprits from using contaminated JavaScript files hosted on OneDrive to compromise targets using WasabiSeed malware.
It describes this line of attack as “completely new” – previously, TA866 relied on infected Publisher documents or URLs embedded directly into email messages to deliver its payload.
The Screenshotter program is also being used by the gang to facilitate its attacks this time around. In previous campaigns, the gang deployed AHK Bot and Rhadamanthys Stealer.
Proofpoint last observed TA866 – previously linked tentatively but not definitively to Russia – in March, leading it to conclude that the gang has come out of retirement.
It is also thought to be collaborating with TA571, another criminal group that specializes in spamming victims.
Proofpoint adds that the return of TA866 coincides with other criminal gangs coming back after end-of-year vacations, which means that the cyber landscape is looking distinctly more threatening.
“The evolution in the attack chain such as the use of new PDF attachments is also notable,” it said.