Hackers of TA577 Group Shift Tactics, Utilizing Phishing to Snatch NTLM Authentication Hashes

Cyber Attack

TA577, known for its association with Qbot and Black Basta ransomware infections, has altered its strategy by employing phishing emails to pilfer NT LAN Manager (NTLM) authentication hashes. Email security firm Proofpoint observed two distinct TA577 campaigns on February 26 and 27, 2024, targeting organizations globally, aiming to acquire employees' NTLM hashes.

NTLM hashes, used in Windows authentication, can be exploited for offline password cracking or "pass-the-hash" attacks, facilitating privilege escalation, account hijacking, and lateral movement within networks.

The phishing campaign was initiated with emails masquerading as replies to previous discussions, featuring unique ZIP archives containing HTML files. These files, once opened, automatically connect to a remote Server Message Block (SMB) server, triggering NTLMv2 Challenge/Response and enabling hash theft.

Proofpoint highlighted non-standard artefacts on the SMB servers, including Impacket, signalling their involvement in phishing attacks. While disabling multi-factor authentication may enable threat actors to breach networks, stolen hashes could also serve reconnaissance purposes.

Possible mitigation strategies include configuring firewalls to block outbound SMB connections, implementing email filtering to intercept zipped HTML files, and restricting NTLM outgoing traffic. Additionally, Microsoft's security feature in Windows 11 blocks NTLM-based attacks over SMBs, offering enhanced protection against such threats.