TA551 Shifts Tactics to Install Sliver Red-Teaming Tool

A new email campaign from the threat group uses the attack-simulation framework in a likely leadup to ransomware deployment.

The criminal threat group known as TA551 has added the Sliver red-teaming tool to its bag of tracks – a move that may signal ramped up ransomware attacks ahead, researchers said.

According to Proofpoint researchers, TA551 (aka Shathak) has been mounting cyberattacks that start with email thread hijacking – an increasingly popular tactic in which adversaries insert themselves into existing email conversations. In one offensive seen just this week, the messages contained password-protected zipped Word documents. If opened and macros enabled, the attachments ultimately lead to the download of Sliver, an open-source, cross-platform adversary simulation and red-team platform.

The activity demonstrates a “significant departure” from previous tactics, techniques and procedures (TTPs) from TA551, according to Proofpoint. Typically, the end goal for TA551 has been to drop an initial-access/banking trojan such as IcedID, Qbot or Ursnif (and Emotet in the past), which eventually led to ransomware attacks. For instance, IcedID implants were associated with Maze and Egregor ransomware events in 2020, the firm determined.

Infosec Insiders Newsletter

“Typically, TA551 use more commodity malware like banking trojans,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told Threatpost. “They would compromise a victim and potentially broker access to enable the deployment of Cobalt Strike and eventually ransomware. Now with Sliver, they don’t need to rely on other groups for access. The threat actor is able to break in on their own with much more flexibility to pushing ransomware, stealing data or doing any lateral movements through the target organization.”

Red Teams Tools on the Rise for Cybercrime

The move to installing Sliver speaks to the snowballing use of legitimate threat-hunting and defense tools by cybercriminals, said DeGrippo. Proofpoint observed a 161 percent increase in threat actor use of the red-teaming tool Cobalt Strike between 2019 and 2020 for instance.

It’s a phenomenon that other researchers have flagged as well.

“Attackers have never had it better in terms of freely available tooling, such as Metasploit and Mimikatz, or pirated copies of Cobalt Strike,” Nate Warfield, CTO at Prevailion, wrote in a Threatpost column this week. “Whether they need phishing toolsets, obfuscation frameworks, initial access tools, command-and-control (C2) infrastructure, credential-abuse tools or even open-source ransomware payloads, nearly all of this can be found for free on GitHub. Most people assume malicious actors are hiding on the Dark Web, selling tools for Bitcoin to only the shadiest of black hats, but this simply isn’t true.”

He added, “The industry has given offensive security professionals its blessing to develop and release attack frameworks under the rationale that ‘defenders need to understand these tactics.’ But this glosses over the fact that attack frameworks also help the attackers and make it harder for defenders to keep up.”

Sliver is available for free online, and capabilities include information-gathering, command-and-control (C2) functionality, token manipulation, process injection and other features. Additional offensive frameworks that appear as first-stage payloads used by cybercrime actors include Lemon Tree and Veil, according to Proofpoint.

“Threat actors are using as many legitimate tools as possible, including executing Windows processes like PowerShell and WMI; injecting malicious code into legitimate binaries; and frequently using allowable services like Dropbox, Google Drive, SendGrid, and Constant Contact to host and distribute malware,” DeGrippo told Threatpost. “They are flexible and easy to access and use.”

Defending Against Email Attacks

Proofpoint said that it’s not releasing any campaign data, including victimology, geographic distribution of attacks or the volume of the activity – so it’s hard to say which businesses should be concerned. However, TA551 is known for widescale, global attacks that cast a big net. And, DeGrippo did offer the following tips for protection:

  1. Train users to spot and report malicious email: Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable. The best simulations mimic real-world attack techniques. Look for solutions that tie into real-world attack trends and the latest threat intelligence.
  2. Ensure macros are disabled. Threat actors frequently distribute documents that require macros to be enabled to deploy the malicious payload. Also include macro-laden attack simulations in security training demonstrations.
  3. Assume that users will eventually click some threats. Attackers will always find new ways to exploit human nature. Your email security solution should analyze both external and internal email—attackers may use compromised accounts to trick users within the same organization. Web isolation can be a critical safeguard for unknows and risky URLs.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.



Suggested articles