Highlights
- TA577 is a cybercriminal group that typically delivers malware.
- In this instance, TA577 used thread hijacking emails with zipped HTML attachments to target SMB servers.
- The emails were sent in February of 2024.
- Once opened, the HTML files would attempt to connect to the SMB server to steal NTLM hashes.
- Proofpoint researchers believe TA577 then uses these hashes to crack passwords or move laterally within a network.
https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft