Researchers at Proofpoint have identified the TA505 threat group targeting a range of industries in the past month after being on hiatus. The group is known for evolving and using new Tactics, Techniques, and Procedures (TTPs), which makes them difficult to track. TA505 is behind some of the biggest spam campaigns, including the Dridex banking trojan. Proofpoint has also tracked the threat group distributing Locky and Jaff ransomware, the Trickbot banking trojan, and others “in very high volumes,” Proofpoint says. The newest campaign includes new and updated tools such as an updated KiXtart loader, the MirrorBlast loader that downloads Rebol script stagers, a retooled FlawedGrace RAT, and updated malicious Excel documents. The new wave of attacks started slower in September 2021 and increased towards the end of the month. The attacks resemble what the group was doing in 2019 and 2020, using email lures to distribute malicious Excel documents that once downloaded with macros enabled, deliver the FlawedGrace RAT. The group has begun using more specific lures in October 2021 to target certain industries. They have also expanded their target countries, including the U.S. and Canada as before, and now adding Germany and Austria. New to this campaign, TA505 is using more intermediary loaders before the final delivery of FlawedGrace, which serve the same purpose as the Get2 downloader that TA505 has been using since 2019 to deliver their payloads.
As with previous campaigns, the group relies heavily on the use of malicious Excel documents to distribute FlawedGrace. Training employees to spot phishing emails and to not enable macros on Microsoft products unless they trust the sender is a crucial step in preventing these attacks. Since the group has also been seen using URL lures in their emails, training employees to not click on unknown links is also important. Proofpoint looks at TA505 as one of the trendsetters in cybercrime and they can be expected to continue their attacks on any industry and will continue to update their TTPs, making them harder to track than most threat actors.