Since the beginning of 2024, specialists at F.A.C.C.T., a Russian developer of cybersecurity technologies, have identified over a thousand phishing campaigns involving malware that targeted enterprises, government agencies, and banks in Russia and Belarus. Analysts from the Threat Intelligence department have identified these attacks as the activity of the TA558 group.
TA558 is a cybercriminal group that has been active since 2018. The group's primary targets include financial institutions, government organizations, and travel companies. The hacker group uses multi-stage phishing attacks and social engineering techniques to deploy malware hosted on legitimate servers.
Recent TA558 attacks are characterized by the use of steganography to conceal information in files and images, as well as malicious files with names like "Love" and "Kiss." The main programs used are Agent Tesla and Remcos, which belong to the class of Remote Administration Tools (RAT). They allow attackers to capture video from webcams, control the clipboard and mouse, collect system information, and steal user data.
Notably, hackers continue to exploit a 2017 vulnerability in Microsoft Office (CVE-2017-11882), despite its being patched in updated versions of the product.
The F.A.C.C.T. Managed XDR system successfully blocked all malicious emails sent to clients.
Read more on this topic:
"Astra Group" will pay "white hackers" for bugs in the VMmanager virtualization management platform