Getty Images
On the last day of May, one of my inboxes received emails claiming to be from one of the owners of the yoga studio I attend. It concerned a message I sent via the studio’s website in January, which was resolved in an email from the co-owner the following day. Here she was, four months later, emailing me again.
“Below are the documents we discussed last week,” the email author wrote. “Contact me if you have any questions about the attached files.” A password protected ZIP file was attached. Below the text of the message was the reply the co-owner had sent me in January. These emails came once or twice a day for the next few weeks, each from a different address. The files and passwords were changed many times, but the basic format, including the January email thread, remained consistent.
With the help of researchers from the security company Proofpoint, I now know that the emails are the work of a criminal group they call TA578. TA578 is known in the security industry as the Initial Access Broker. That means end-user devices are compromised en masse opportunistically by spamming as many addresses as possible with malicious files. The gang then sells access to the compromised machines to other threat actors to use for ransomware, cryptojacking, and other types of campaigns.
What is thread hijacking?
Somehow group members got the message I sent to my yoga studio. The simplest explanation would be that the studio owner’s computer or email account was compromised, but there are other possibilities. With possession of my email address and the authentic email the owner sent me in January, TA578 now had the raw materials to run his trade.
“Messages in this campaign appear to be responses to previous, benign email threads,” Proofpoint wrote in an email responding to questions. “This technique is called thread hijacking. Threat actors use this technique to trick recipients into believing they are interacting with someone they trust so they are less suspicious of downloading or opening attachments they may be sending as part of the conversation. Threat actors often steal these benign messages through previous malware infections or account compromises.”
Once unzipped, the attached files installed Bumblebee, a malicious downloader used by several threat actors to download and run additional payloads on the compromised computer. Proofpoint first observed threat actors using Bumblebee in email-based campaigns in March.
The files attached to the emails contained an embedded ISO or IMG file along with an LNK link file and a DLL file. The LNK file is used to run the DLL at a specific entry point to launch the malware. Proofpoint says TA578 Bumblebee campaigns typically proceed to download second stage payloads of Cobalt Strike and Meterpreter malware.
Luckily, I knew almost immediately that the emails were malicious, but it’s not hard to see how some people could fall for the ruse. Who would have thought that a routine message sent to a yoga studio would open the door to a malware attack?
I emailed the owner and explained the series of events and warned that an account or machine using the studio was almost certainly compromised. I never received an answer. When I followed up by sending another message through the studio’s website, someone responded, “I’m sorry to hear you received this type of communication, but there is no system or server on our site that provides you with E – would send emails. I would double check to make sure nothing is wrong on your end.”
All of which suggests that receiving these types of malicious emails in 2022 is pretty much a fact of life. When you shop or socialize online, it’s almost inevitable that someone in the chain will be compromised, and this endpoint is exploited in hopes of infecting you.
Bottom Line: Expect malicious emails from people or addresses you think you recognize by using genuine email threads you’ve received in the past. If something seems out of character, take a step back and either start a discussion in a separate email thread or call the person directly. And as my experience with my yoga studio shows, don’t expect the other person to understand what’s going on. In particular, do not click on links or open attachments.