TA551 Shifts Tactics to Install Sliver Red-Teaming Tool

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,052
The criminal threat group known as TA551 has added the Sliver red-teaming tool to its bag of tracks – a move that may signal ramped up ransomware attacks ahead, researchers said.

According to Proofpoint researchers, TA551 (aka Shathak) has been mounting cyberattacks that start with email thread hijacking – an increasingly popular tactic in which adversaries insert themselves into existing email conversations. In one offensive seen just this week, the messages contained password-protected zipped Word documents. If opened and macros enabled, the attachments ultimately lead to the download of Sliver, an open-source, cross-platform adversary simulation and red-team platform.

The activity demonstrates a “significant departure” from previous tactics, techniques and procedures (TTPs) from TA551, according to Proofpoint. Typically, the end goal for TA551 has been to drop an initial-access/banking trojan such as IcedID, Qbot or Ursnif (and Emotet in the past), which eventually led to ransomware attacks. For instance, IcedID implants were associated with Maze and Egregor ransomware events in 2020, the firm determined.

“Typically, TA551 use more commodity malware like banking trojans,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told Threatpost. “They would compromise a victim and potentially broker access to enable the deployment of Cobalt Strike and eventually ransomware. Now with Sliver, they don’t need to rely on other groups for access. The threat actor is able to break in on their own with much more flexibility to pushing ransomware, stealing data or doing any lateral movements through the target
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top