Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Tatar-language users. Show all posts

TA866 Threat Actor: Python Malware Targets Tatar-language Users


Cybersecurity researchers have discovered a new Python malware that has been targeting Tatar language-speaking users. Tatar is a Turkish native language, spoken mostly by Tatars, an ethnic group based in Russia and its neighbouring nations. 

The Cyble-based Python malware is designed such that it can capture screenshots on the targeted systems and transfer them to a remote server through FTP (File Transfer Protocol).

FTP enables files and folders to be transferred from a host (targeted system) to another host via a TCP-based network, like the Internet. 

The threat actors behind the campaign are the notorious TA866, which has a history of targeting Tatar language speakers and utilizing Python malware to conduct their operations. 

How Does TA866 Use Python Malware? 

The Tartar Republic Day coincided with the use of this new Python malware by the threat actor TA866, according to CRIL. Up until the end of August, these attacks coincided with the Tartar Republic Day.

The report claims that the threat actor known as TA866 uses a PowerShell script "responsible for taking screenshots and uploading them to a remote FTP server."

Phishing emails are used by threat actors to select victims for the Python malware attack. These emails have a malicious RAR file encoded within them.

The file includes two innocuous files: a video file and a Python-based executable masquerading as an image file with a dual extension.

  • After being executed, the loader starts a chain of events. It downloads a zip file from Dropbox that contains two PowerShell scripts and an additional executable file.
  • These scripts make it easier to create a scheduled activity that will allow the malicious executable to run.

According to Proofpoint, the threat actor’s operations lead them to a financially motivated activity called “Screentime.” 

TA866 Threat Actors and Their Use of Custom Hacking Tools

The hackers are able to conduct these complex attacks because of their successful attempts to develop their own sophisticated tools and services. Notably, the financially motivated threat actor TA866 has connected similar operations targeting German and American organizations.

CRIL claims that the threat actor infects the victim's computers with the Python tool via the RAR file. However, it must first travel through a chain of infections before it can launch the final payload. This includes making use of Tatar-language filenames to hide. 

The threat actor employs a malicious application that shows the victims a message while covertly running PowerShell scripts to take screenshots and send them to an FTP site. 

The subsequent step of TA866 involves the deployment of further malicious software, which may include the Cobalt Strike beacon, RATs (Remote Access Trojans), stealers, and other harmful programs.

Considering the sophisticated payloads and malware used in the attacks, it can be concluded that it is definitely not a rookie organization, but a group of skilled cybersecurity personnel, including experts in designing advanced malware strains and payloads.