On the last day of May, one of my inboxes started receiving emails, allegedly from one of the owners of the yoga studio I’m visiting. This was a message I sent in January through the studio’s website and was resolved the next day in an email from the co-owner. Now there she was, four months later, emailing me again.
“Listed below are the documents we discussed last week,” the author of the email wrote. “Contact me if you have any questions about the attached files.” A password protected zip file was attached. Below the body of the message was the reply that the co-owner sent me in January. These emails began arriving once or twice a day for the next two weeks, each from a different address. Files and passwords changed often, but the basic format, including the January email thread, remained consistent.
With the help of researchers from security firm Proofpoint, I now know that the emails are the work of a criminal group they call TA578. TA578 is what is known in the security industry as an initial access broker. This means that it compromises end-user devices en masse opportunistically, spamming as many addresses as possible with malicious files. The gang then sells access to the machines they compromise to other threat actors for use in ransomware, cryptojacking, and other types of campaigns.
What is Thread Hijacking?
Somehow the members of the group understood the message I sent to my yoga studio. The simplest explanation would be that the studio owner’s computer or email account has been compromised, but there are other possibilities. Having my email address and the genuine email the owner sent me in January, TA578 now had the raw materials to ply its trade.
“The posts in this campaign appear to be replies to previous, benign threads,” Proofpoint wrote in an email responding to questions. “This technique is called wire hijacking. Threat actors use this technique to trick the recipient into thinking they are interacting with someone they trust, so they are less likely to be suspicious of downloading or opening attachments that might be sent to him as part of the conversation. Threat actors typically steal these benign messages through prior malware infections or account compromises.”
Once unpacked, the attached files installed Bumblebee, a malicious downloader that several malicious actors use to download and run additional payloads on the compromised machine. Proofpoint first observed threat actors using Bumblebee in email campaigns in March.
The attachments to the emails I received contained an embedded ISO or IMG file along with an LNK shortcut file and a DLL file. The LNK file is used to run the DLL at a specific entry point to start the malware. According to Proofpoint, TA578 Bumblebee campaigns typically continue to download second-stage payloads of Cobalt Strike and Meterpreter malware.
Luckily, I knew almost immediately that the emails were malicious, but it’s not hard to see how some people might fall for this. Who would have thought that a routine message sent to a yoga studio would open the door to a malware attack?
I emailed the owner and explained the chain of events and warned that an account or machine the studio was using was almost certainly compromised. I never received a response. When I followed up by sending another message via the studio’s webpage, someone replied, “I’m sorry to hear that you are receiving this type of communication, but there is no system or server on our side that would email you. I’m double-checking to make sure it’s not something wrong on your side.”
All this to say that receiving these types of malicious emails is pretty much a reality in 2022. If you shop or socialize online, it’s almost inevitable that someone in the chain will be compromised, and that end point will be exploited in the hope of infecting you.
The takeaway: expect to receive malicious emails from people or addresses you think you recognize using real threads you’ve received in the past. When something seems off, take a step back and start a discussion in a separate thread or call the person directly. And as my experience with my yoga studio shows, don’t expect the other person to understand what’s going on. Above all, do not click on links or open attachments.