Summary: Cybersecurity researchers at Insikt Group have identified TAG-124, a sophisticated traffic distribution system (TDS) utilized by various cybercriminal groups to disseminate malware and phishing content. This system operates through a network of compromised WordPress sites, dynamically rerouting users to malicious sites while evading detection. The report emphasizes the significant activity level of TAG-124’s operators and their ongoing enhancements to the infrastructure and techniques used for attacks.

Affected: Cybercriminal organizations and users of compromised WordPress websites

Keypoints :

• TAG-124 utilizes a multi-layered TDS to distribute malware, phishing content, and fake updates.
• The system includes compromised WordPress sites and actor-controlled payload servers, enhancing evasion of detection.
• Notable threat actors linked to TAG-124 include operators of Rhysida and Interlock ransomware, among others.
• Malicious JavaScript code on infected sites redirects users to download malware, often disguised as legitimate browser updates.
• The ongoing activity of TAG-124’s operators indicates potential future evolution and adaptation in cyber threats.