Positive Technologies: previously only active in Latin American, a well-known cyberattack group has reached Russia

In a new series of attacks, TA558 has employed a unique malware concealment technique for the first time

Experts from Positive Technologies Expert Security Center (PT ESC) have uncovered a series of international attacks. The distinct signature of these attacks leads the experts to believe that they are likely associated with the TA558 group, which was first identified in 2018 when it targeted companies in Latin America. Since then, the group has expanded its geographical scope and now includes companies in Turkey, Romania, and Russia among its most common victims.

Alexander Badaev, an information security threat researcher at PT ESC, comments: "In the attacks we studied, the group used steganography by transmitting payload files within images. Additionally, the attackers utilized text services. Both methods were used simultaneously in kill chains to better evade detection. Most of the malicious file names contained the word 'love,' which is why we named this operation SteganoAmor. We managed to reveal connections between different elements of the attacks and determine that they belonged to the same group."

TA558 uses legitimate services to store malicious code strings and images containing malicious code. The hackers have used widely-known malware such as Agent Tesla, FormBook, Remcos, LokiBot, GuLoader, Snake Keylogger, and XWorm.

After analyzing all available information and research data, PT ESC specialists linked these attacks to the TA558 group, which normally targets companies in the tourism and hospitality sectors in Latin America. The analysis revealed numerous samples of TA558 malware used to target various sectors and countries. Several hundred phishing emails sent to different companies were intercepted by our experts. Over 50 attacks were aimed at Russian, Romanian, and Turkish companies.

In total, Positive Technologies specialists identified over 320 attacks targeting companies from 31 countries, including the U.S., Germany, and India. The most affected industries include manufacturing (21%), the service sector (16%), the public sector (16%), the electric power industry (8%), and construction (8%).

Detecting such attacks requires specialized security tools, and professionals in cyberincident investigation should be engaged for analysis and prevention. For instance, MaxPatrol SIEM can detect not only key events like data theft but also the preceding stages, such as phishing and data transmission, using specific rules. MaxPatrol EDR can identify and stop TA558 malware on endpoints, including desktop computers, laptops, virtual workstations, and servers. PT Network Attack Discovery (PT NAD) can also detect TA558 activities. To search for TA558 group activity indicators in PT NAD, use the following filter: rpt.cat ~ "ESC-manual-ta558-*". PT NAD has over 40 rules to detect malware used by TA558. PT Sandbox uses behavioral analysis to detect malware employed by TA558 in phishing attacks. The online service PT Knockin can proactively check if corporate email security tools can handle TA558 attacks.