TA2101, Maze Team

Description

(Proofpoint) Proofpoint researchers recently detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware.

The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails.

Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).

Names

Name	Name-Giver
TA2101	Proofpoint
Maze Team	self given
Twisted Spider	CrowdStrike
Gold Village	SecureWorks

Country

• Unknown

Motivation

• Financial crime
• Financial gain

First Seen

2019

Observed Sectors

• Construction
• Education
• Energy
• Financial
• Government
• Healthcare
• Hospitality
• IT
• Manufacturing
• Media
• Non-profit organizations
• Oil and gas
• Retail
• Shipping and Logistics
• Technology
• Telecommunications
• Transportation
• Real estate

Observed Countries

• Canada
• Costa Rica
• France
• Germany
• Italy
• South Korea
• Thailand
• UK
• USA

Tools

• 7-Zip
• BokBot
• BloodHound
• Buran
• Cobalt Strike
• Egregor
• Maze
• Mimikatz
• nmap
• PsExec
• SharpHound
• WinSCP

Operations

• 2019-11: Allied Universal Breached by Maze Ransomware, Stolen Data Leaked https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/
• 2019-12: Maze Ransomware Demands $6 Million Ransom From Southwire https://www.bleepingcomputer.com/news/security/maze-ransomware-demands-6-million-ransom-from-southwire/
• 2020-01: Maze ransomware operators have infected computers from Medical Diagnostic Laboratories (MDLab) and are releasing close to 9.5GB of data stolen from infected machines. https://www.bleepingcomputer.com/news/security/maze-ransomware-not-getting-paid-leaks-data-left-and-right/
• 2020-01: MAZE Relaunches ‘Name and Shame’ Website https://www.infosecurity-magazine.com/news/maze-relaunches-name-and-shame/
• 2020-02: Breaking the Ice: A Deep Dive Into the IcedID Banking Trojan’s New Major Version Release https://securityintelligence.com/posts/breaking-the-ice-a-deep-dive-into-the-icedid-banking-trojans-new-major-version-release/
• 2020-03: Chubb Cyber Insurer Allegedly Hit By Maze Ransomware Attack https://www.bleepingcomputer.com/news/security/chubb-cyber-insurer-allegedly-hit-by-maze-ransomware-attack/
• 2020-03: The Maze ransomware group attacked the computer systems of Hammersmith Medicines Research (HMR), publishing personal details of thousands of former patients after the company declined to pay a ransom. https://www.computerweekly.com/news/252480425/Cyber-gangsters-hit-UK-medical-research-lorganisation-poised-for-work-on-Coronavirus
• 2020-04: On April 1st, 2020, Berkine became a victim of cyber-attack by the notorious Maze ransomware group that is known for its unique blackmailing practices. https://www.hackread.com/maze-ransomware-group-hacks-oil-giant-leaks-data/
• 2020-04: Drug testing firm sends data breach alerts after ransomware attack https://www.bleepingcomputer.com/news/security/drug-testing-firm-sends-data-breach-alerts-after-ransomware-attack/
• 2020-04: IT services giant Cognizant suffers Maze Ransomware cyber attack https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/
• 2020-04: The Maze Ransomware gang breached and successfully encrypted the systems of VT San Antonio Aerospace, as well as stole and leaked unencrypted files from the company’s compromised devices https://www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/
• 2020-04: Chipmaker MaxLinear reports data breach after Maze Ransomware attack https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/
• 2020-05: According to MAZE, egg producer and supplier Sparboe was cracked into on May 1, 2020. As proof of the attack, the threat group has shared a zip file of data it claims was exfiltrated from Sparboe’s systems. https://www.infosecurity-magazine.com/news/maze-claims-ransomware-attack-on-us/
• 2020-05: Package delivery giant Pitney Bowes confirms second ransomware attack in 7 months https://www.zdnet.com/article/package-delivery-giant-pitney-bowes-confirms-second-ransomware-attack-in-7-months/
• 2020-05: Ransomware breach of Banco de Costa Rica https://www.bleepingcomputer.com/news/security/hackers-say-they-stole-millions-of-credit-cards-from-banco-bcr/ https://cybleinc.com/2020/05/22/maze-ransomware-operators-release-the-banco-de-costa-rica-data-leak-part-3/
• 2020-06: Cyber extortionists have stolen sensitive data from a company which supports the US Minuteman III nuclear deterrent. https://news.sky.com/story/hackers-steal-secrets-from-us-nuclear-missile-contractor-11999442
• 2020-06: The Maze Ransomware operators are claiming to have successfully attacked business services giant Conduent, where they stole unencrypted files and encrypted devices on their network. https://www.bleepingcomputer.com/news/security/business-services-giant-conduent-hit-by-maze-ransomware/
• 2020-06: MAZE maintains that it has encrypted and exfiltrated data from New York company Threadstone Advisors using ransomware. https://www.infosecurity-magazine.com/news/maze-attacks-victoria-beckhams/
• 2020-06: LG Electronics allegedly hit by Maze ransomware attack https://www.bleepingcomputer.com/news/security/lg-electronics-allegedly-hit-by-maze-ransomware-attack/
• 2020-06: Business giant Xerox allegedly suffers Maze Ransomware attack https://www.bleepingcomputer.com/news/security/business-giant-xerox-allegedly-suffers-maze-ransomware-attack/
• 2020-06: Maze Ransomware Operators Allegedly Targeted National Highways Authority of India (NHAI) https://cybleinc.com/2020/07/02/maze-ransomware-operators-allegedly-targeted-national-highways-authority-of-india-nhai-data-leak/
• 2020-07: Canon hit by Maze Ransomware attack, 10TB data allegedly stolen https://www.bleepingcomputer.com/news/security/canon-hit-by-maze-ransomware-attack-10tb-data-allegedly-stolen/
• 2020-08: The Maze hacker gang claims it has infected computer memory maker SK hynix with ransomware and leaked some of the files it stole. https://www.theregister.com/2020/08/20/maze_crew_sk_hynix/
• 2020-08: During the monitoring of deepweb and darkweb leaks, our researchers came across the leak disclosure post in which the Maze ransomware operators allegedly breached Hoa Sen Group and claimed to be in possession of the company’s sensitive data. https://cybleinc.com/2020/08/17/one-of-the-largest-steel-sheet-companies-in-southeast-asia-got-allegedly-breached-by-maze/
• 2020-09: Fairfax County schools hit by Maze ransomware, student data leaked https://www.bleepingcomputer.com/news/security/fairfax-county-schools-hit-by-maze-ransomware-student-data-leaked/
• 2020-10: Maze ransomware is shutting down its cybercrime operation https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/
• 2020-10: Ubisoft, Crytek data posted on ransomware gang’s site https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/
• 2020-10: Egregor Claims Responsibility for Barnes & Noble Attack, Leaks Data https://threatpost.com/egregor-responsibility-barnes-noble/160401/
• 2020-11: 350,000 items of personal data compromised in Capcom hack https://www.nme.com/news/gaming-news/350000-items-of-personal-data-compromised-in-capcom-hack-2818358
• 2020-11: Retail giant Cencosud hit by Egregor Ransomware attack, stores impacted https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/
• 2020-12: Kmart nationwide retailer suffers a ransomware attack https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/
• 2020-12: Egregor Ransomware attacked HR Giant Randstad https://securereading.com/egregor-ransomware-attacked-hr-giant-randstad/
• 2021-02: French Hospital Hit with Egregor Ransomware https://www.binarydefense.com/threat_watch/french-hospital-hit-with-egregor-ransomware/
• 2021-02: Egregor Ransomware Adopting New Techniques https://blog.morphisec.com/egregor-ransomware-adopting-new-techniques
• 2022-02: The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums by the alleged malware developer. https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/

Counter Operations

• 2021-03: Alleged Members of Egregor Ransomware Cartel Arrested https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html
• 2024-02: Zeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison https://www.bleepingcomputer.com/news/security/zeus-icedid-malware-gangs-leader-pleads-guilty-faces-40-years-in-prison/

Information

• https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us
• https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html

Other Information

Uuid

046da342-795f-491e-b6d1-b61cd6c1f2d9

Last Card Change

2024-03-07