TA551 Shifts Tactics to Install Sliver Red-Teaming Tool

A new email campaign from the threat group uses the attack-simulation framework in a likely leadup to ransomware deployment.

The criminal threat group known as TA551 has added the Sliver red-teaming tool to its bag of tracks – a move that may signal ramped up ransomware attacks ahead, researchers said.

According to Proofpoint researchers, TA551 (aka Shathak) has been mounting cyberattacks that start with email thread hijacking – an increasingly popular tactic in which adversaries insert themselves into existing email conversations. In one offensive seen just this week, the messages contained password-protected zipped Word documents. If opened and macros enabled, the attachments ultimately lead to the download of Sliver, an open-source, cross-platform adversary simulation and red-team platform.

The activity demonstrates a “significant departure” from previous tactics, techniques and procedures (TTPs) from TA551, according to Proofpoint. Typically, the end goal for TA551 has been to drop an initial-access/banking trojan such as IcedID, Qbot or Ursnif (and Emotet in the past), which eventually led to ransomware attacks. For instance, IcedID implants were associated with Maze and Egregor ransomware events in 2020, the firm determined.

“Typically, TA551 use more commodity malware like banking trojans,” Sherrod DeGrippo, vice president of

Read More: https://threatpost.com/ta551-tactics-sliver-red-teaming/175651/