Python Malware Targets Tatar-Language Users: TA866 Threat Actor Strikes Again

In the latest cybersecurity news, researchers have found a new Python malware targeting Tatar language-speaking users. The Tatar language is a Turkic language spoken primarily by the Tatars, an ethnic group in Russia and neighboring countries.

This Python malware strain, sourced by Cyble, can capture screenshots on the victim’s systems and send them over to a remote server via FTP (File Transfer Protocol).

This network protocol allows the transfer of files and folders from one host to another host via a TCP-based network, such as the internet.

The perpetrator behind this campaign is the notorious TA866 threat actor. This notorious organization targets the Tatar language-speaking and leverages the Python malware for their operations.

Here’s how the TA866 threat actor uses Python malware

Screenshotter, kill chain
Source: Cyble

CRIL found that the TA866 threat actor used this new Python malware timed with the Tartar Republic Day. These attacks were running along with the Tartar Republic Day until the end of August.

According to the research, the TA866 threat actor employs a PowerShell script “responsible for taking screenshots and uploading them to a remote FTP server.”

To begin the Python malware attack, the threat actors use phishing emails to target victims. These emails are embedded with a malicious RAR file.

This file consists of two seemingly innocuous files: a video file and a Python-based executable masquerading as an image file with a dual extension.

RAR Archive, Files
Source: Cyble

Once executed, the loader initiates a series of events. It fetches a zip file from Dropbox, concealing an additional executable file and two PowerShell scripts.

PowerShell Script
Source: Cyble

These scripts facilitate the creation of a scheduled task, enabling the execution of the malicious executable.

Python, Image, Screenshot
Source: Cyble

Proofpoint found the origins of this threat actor, which, according to the report, leads to a financially motivated activity called “Screentime.” This particular attack chain begins similarly to the one we saw in the Python malware case. 

The TA866 threat actor responsible for both campaigns, use an email attachment carrying the EmberCore and MirageVision.

The threat actor behind these two campaigns is a “well-organized group capable of carrying out planned attacks on a large scale,” reported Proofpoint. 

TA866 threat actor and their use of custom hacking tools

The reason why these hackers can launch these sophisticated attacks is because they have been successful in creating their custom tools and services.

Notably, the TA866 threat actor, a financially motivated threat actor, has been implicated in similar campaigns focusing on organizations in the United States and Germany.

According to CRIL, the threat actor uses the RAR file to infect the victim’s computers with the Python tool. But before it can launch the final payload, it goes through a chain of infection. This includes exploiting Tatar language filenames to evade detection

base64, PowerShell

The threat actor uses a malicious executable that displays a message to the victims while surreptitiously executing PowerShell scripts to capture and transmit screenshots to an FTP server.

In the next phase, TA866 deploys additional post-exploitation tools, potentially including Cobalt Strike beacon, RATs (Remote Access Trojans), stealers, and other malicious programs.

The number of payloads and malware these hackers use shows that they are not a rookie group but an organization of highly skilled cybersecurity people, including experts in developing advanced malware strains and payloads. 

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.