Threat Actors Team Up for Post-Holiday Phishing Email Surge

Just like you and me, cyberattackers returned from winter break and immediately started sending thousands of emails.

3 Min Read
Photo of someone dressed in a Santa Claus costume and wearing a Guy Fawkes / Anonymous mask
Source: devilmaya via Alamy Stock Photo

Last week, two different threat actors teamed up to send thousands of post-holiday-break phishing emails destined for North American organizations.

Other than volume, the campaign was fairly standard fare. What's more interesting, perhaps, is the timing of the campaign — and the relationship of the perpetrators behind it.

The emails contained lazy subject lines and corporate hooks (e.g., "Hi, In Attached you will find the invoice for December 2023.") Users who clicked the OneDrive link contained in an attached PDF were served a duo of custom malware: a downloader called "WasabiSeed" and the self-evident "Screenshotter." Proofpoint, which wrote about the campaign on Thursday, blocked the emails before they reached their intended destinations.

To the more interesting point, the main culprit, which Proofpoint tracks as TA866, was nearly silent for nine months prior. Its co-conspirator, TA571, seems to have been offline during the winter break. But after enjoying some hot chocolates and holiday cheer, the former threat actor used the latter threat actor to successfully deliver its low-grade malicious content on a mass scale.

Spammers Team up with Traffic Distributors

TA866 has been active since at least October 2022. In its first few weeks of operation, though, it was relatively tame, sending only a limited number of emails to a small number of organizations.

By the end of 2022, the group started linking to the URLs of malicious content via traffic distribution systems (TDSes). TDSes are an increasingly popular middleman of the cyber underground, connecting phishers to malicious content providers and filtering the victim traffic in between for maximum profit.

Just as quickly as it made this switch, TA866's campaigns exploded to thousands of emails per go-around. It seems to be sticking with that formula, as this latest campaign utilizes TA571's TDS to distribute the malicious PDFs.

TA866 isn't TA571's only partner-in-crime, though. Last month, Proofpoint revealed a new threat actor, "BattleRoyal," which, like TA866, utilized TDS networks to spread malicious URLs. Since then, it has become clear that BattleRoyal, too, was making use of TA571's services.

"Oftentimes in this ecosystem of cybercrime, each actor has their own job. You have people sending spam, people selling loaders, people doing the post-exploitation reconnaissance, and then at that point, they might sell access to a ransomware threat actor," explains Selena Larson, Proofpoint senior threat intelligence analyst. For example, previous TA866 campaigns involved the Rhadamanthys stealer, a Dark Web offering used for nabbing crypto wallets, Steam accounts, passwords from browsers, FTP clients, chat clients (e.g. Telegram, Discord), email clients, VPN configurations, cookies, files, and more.

Major Threat Actors Take a Holiday

Besides the TDS partnerships, the timing of last week's attack may also reflect something deeper about today's cybercrime underground.

Just as surely as Mariah Carey can be heard on the radio right around the turn of winter every year, the cybersecurity community raises warning flags about incoming holiday attacks. But as Larson explains, "we do tend to see a decrease in activity from some of the more high-volume, somewhat more well-resourced cybercrime groups that do more malware delivery, and can lead to things like, potentially, ransomware.

"We often see some of the major e-crime actors take breaks around the holidays. Emotet used to be the best example for this, regularly dropping off in December through mid-January. This year, for example, TA571 took a break between mid-December and the second week of January," she says. Larson also notes that in some parts of the world, the holiday season extends deeper into January than it does in the US.

In other words, the more serious threat actors who took Christmas off may just be getting back online around now.

"Proofpoint is also observing other actors return from traditional end-of-year holiday breaks," the company noted in its blog, "and thus the overall threat landscape activity [is] increasing."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights