Authors: Jon Armer, Renée Burton, Minh Hoang, Vadym Tymchenko
From 20 May through 6 June, Infoblox observed a series of large malicious spam (malspam) campaigns distributing a new malware available on the dark web, coined Taurus Project by its developers. It is advertised in Russian forums as an information stealer (infostealer) with a wide array of capabilities, including stealing VPN, social media, and cryptocurrency credentials; and taking screenshots of the victim’s desktop. It can also exfiltrate the system’s software installation and configuration information, which gives an attacker the ability to further exploit the compromised machine. The malware is advertised to work in both Google Chrome and Gecko-based browsers, and designed not to launch in certain countries that were formerly part of the Soviet Union.
Authors of the Predator the Thief infostealer promoted the new software in Russian hacker forums in early April 2020. These threat actors disavowed any connection to its development or sale, and further indicated that Predator was “closed” and presumably no longer for sale. Infoblox’s research and analysis found noticeable similarities between the two malware, including similar lures, command and control (C2) servers, etc. We have previously written Cyber Campaign Briefs on Predator the Thief.
All of the specific Taurus Project campaigns we analyzed share a number of overlapping similarities that indicate they originate from the same threat actor, despite differences in certain aspects such as subject lines, sender names, and the type of lure used. Our analysis indicates this actor is maturing their deployment process, so we expect to see more campaigns delivering Taurus Project in the future.
The campaigns we observed were widespread and consisted of emails with subject lines that initially urged the recipient to open the enclosed attachment, then later changed to lures that refer to an agreement or include some form of threat of legal action. In our final example, they masqueraded as eBay. The attacks targeted a range of industry sectors, including finance and home goods.
The emails were all in English, though they showed signs of automatically generated content and translation software typical of hackers operating outside of their native language. All of the emails are in HTML format, which is rendered by default in most email clients.
Across the campaigns, we observed the actor adjusting their deployment methods. They initially used a single attached document and later used embedded URLs in the bodies of the emails. We were able to connect the campaigns to a single infrastructure through several means.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.