36 with 29 posters participating
On the last day of May, one of my inboxes began receiving emails, purportedly from one of the owners of the yoga studio I visit. It concerned a message I sent in January through the studio’s website that had been resolved the following day in an email sent by the co-owner. Now, here she was, four months later, emailing me again.
“Listed below the documents we chatted regarding last week,” the email author wrote. “Contact me if you’ve got any queries about the attached files.” There was a password-protected zip file attached. Below the body of the message was the response the co-owner sent me in January. These emails started coming once or twice daily for the next couple of weeks, each from a different address. The files and passwords were often changed, but the basic format, including the January email thread, remained consistent.
With the help of researchers at security firm Proofpoint, I now know that the emails are the work of a crime group they call TA578. TA578 is what’s known in the security industry as an initial access broker. That means it compromises end-user devices en masse in an opportunistic fashion, spamming as many addresses as possible with malicious files. The gang then sells access to the machines it compromises to other threat actors, for use in ransomware, cryptojacking, and other types of campaigns.
What’s thread hijacking?
Somehow, group members got hold of the message I sent to my yoga studio. The simplest explanation would be the studio owner’s computer or email account was compromised, but there are other possibilities. With possession of my email address and the authentic email the owner had sent me in January, TA578 now had the raw materials to ply its trade.
“Messages in this campaign appear to be replies to previous, benign email threads,” Proofpoint wrote in an email responding to questions. “This technique is referred to as thread hijacking. Threat actors use this technique to make the recipient believe they are interacting with a person they trust so they are less likely to be suspicious about downloading or opening attachments they might be sent as part of the conversation. Threat actors commonly steal these benign messages through prior malware infections or account compromises.”
The files attached to the emails I received contained an embedded ISO or IMG file along with an LNK shortcut file and a DLL file. The LNK file is used to execute the DLL at a specific entry point to start the malware. Proofpoint says TA578 Bumblebee campaigns typically go on to download second-stage payloads of Cobalt Strike and Meterpreter malware.
Fortunately, I knew almost immediately that the emails were malicious, but it’s not hard to see how some people might fall for the ruse. Who would have thought that a routine message sent to a yoga studio would open the door to a malware attack?
I emailed the owner and explained the series of events and warned that an account or machine the studio was using was almost certainly compromised. I never received a response. When I followed up, by sending another message through the studio’s web page, someone responded: “I am sorry to hear that you have been receiving this type of communication but there is no system or server on our end that would be sending you emails. I would double-check to make sure it is not something going wrong on your end.”
All of which goes to say receiving these types of malicious emails is pretty much a fact of life in 2022. If you shop or socialize online, it’s almost inevitable someone in the chain will be compromised, and that endpoint will be exploited in the hopes of infecting you.
The takeaway: Expect malicious emails from people or addresses you think you recognize using real email threads you’ve received in the past. When something seems out of character, take a step back and either begin a discussion in a separate email thread or call the person directly. And as my experience with my yoga studio shows, don’t expect the other person to understand what’s going on. Above all else, don’t click on links or open attachments.