The hacking group TA577 has shifted to using phishing emails to steal NTLM authentication hashes, targeting employees in organizations worldwide. These hashes can be used for offline password cracking or "pass-the-hash" attacks, potentially enabling attackers to escalate privileges, hijack accounts, access sensitive information, and move laterally within a breached network. The phishing emails contain unique ZIP archives with HTML files that trigger automatic connections to steal the NTLM hashes. Security measures such as multi-factor authentication, firewall configurations, email filtering, and Windows 11 security features can help mitigate these attacks.
A malvertising campaign is distributing the PikaBot malware disguised as popular software like AnyDesk. PikaBot, previously distributed via malspam campaigns, is a loader and backdoor that allows threat actors to gain unauthorized remote access to compromised systems. The malware is being leveraged by the cybercrime threat actor TA577, who has previously delivered QakBot, IcedID, and Cobalt Strike. The initial infection vector involves a malicious Google ad for AnyDesk that redirects victims to a fake website hosting a malicious MSI installer. The attacks bypass Google's security checks and employ fingerprinting techniques to ensure the victim is not in a virtualized environment. This malvertising campaign is reminiscent of previous chains used to distribute FakeBat malware. Additionally, there has been a rise in malicious ads targeting popular software searches, including the use of a Chrome extension framework called ParaSiteSnatcher to intercept and exfiltrate sensitive information.
