TA551 Shifts Tactics to Install Sliver Red-Teaming Tool


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
The criminal threat group known as TA551 has added the Sliver red-teaming tool to its bag of tracks – a move that may signal ramped up ransomware attacks ahead, researchers said.

According to Proofpoint researchers, TA551 (aka Shathak) has been mounting cyberattacks that start with email thread hijacking – an increasingly popular tactic in which adversaries insert themselves into existing email conversations. In one offensive seen just this week, the messages contained password-protected zipped Word documents. If opened and macros enabled, the attachments ultimately lead to the download of Sliver, an open-source, cross-platform adversary simulation and red-team platform.

The activity demonstrates a “significant departure” from previous tactics, techniques and procedures (TTPs) from TA551, according to Proofpoint. Typically, the end goal for TA551 has been to drop an initial-access/banking trojan such as IcedID, Qbot or Ursnif (and Emotet in the past), which eventually led to ransomware attacks. For instance, IcedID implants were associated with Maze and Egregor ransomware events in 2020, the firm determined.

“Typically, TA551 use more commodity malware like banking trojans,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told Threatpost. “They would compromise a victim and potentially broker access to enable the deployment of Cobalt Strike and eventually ransomware. Now with Sliver, they don’t need to rely on other groups for access. The threat actor is able to break in on their own with much more flexibility to pushing ransomware, stealing data or doing any lateral movements through the target