TA505: A new attack, believed to be attributed to the threat group TA505, is targeting Human Resource departments within organizations located in Germany. Using Business Email Compromise (BEC) style of phishing attacks, the group is utilizing trojanized disk image files (using file extension “.iso”) disguised as curriculum vitae files. Once the .iso files are open, an embedded Microsoft shortcut (.lnk) file will run a PowerShell script to deploy tools including NetSupport Manager remote control administrator for intelligence gathering and data theft. The group is also using Google Drive for hosting their attack tools and has previously used the GPG encryption tool as a ransomware capability. The research was released from Prevailion and according to them, the attacks have been ongoing since April of 2018. TA505 has used PowerShell scripts to steal login credentials from browsers and steal credit card information. In the first waves of the attack, the group used GPG to encrypt the victim’s files and hold them for ransom. When the group started the second wave of attacks, they used NetSupport Manager to steal information such as screen captures, voice recordings, and files. NetSupport was delivered via a Google Drive account operated by the attackers. Google Drive and other trusted cloud service providers have been used by multiple threat groups recently to host malware files in order to avoid detection by network-based defense systems. Researchers attributed this attack to TA505 through a digital signature associated with the loader used in the German attacks.
Analyst Notes
TA505 has been known to the Necurs Botnet in the past. In March 2020, Microsoft carried out a campaign to disrupt the Botnet by sink-holing the US domains, but that did not stop the operations of the threat group. TA505 continues to evolve and uses many techniques to target victim companies and expand their control of networks after the initial compromise. Phishing attacks are common amongst threat actors because it does not require the attackers to initially compromise the business and relies on an unexpecting employee to open the phishing email. Training employees on new trends in phishing attacks and how to spot them can reduce the number of times that attacks succeed. If employees are tricked into opening attachments or downloading files from phishing messages, it is important to quickly detect the attack on workstations by recognizing the attacker’s behaviors, even if they are using built-in system tools such as PowerShell. Defenders should utilize a monitoring service such as Binary Defense’s Managed Endpoint Detection and Response (MDR) to identify and thwart attacks in the early stages, before attackers have a chance to spread through the network and cause significant damage. The following Command and Control (C2) servers were reported to be used by the malware in January and February 2020:
194.36.189[.]215
185.244.150[.]143
23.227.207[.]138
More information can be read here: https://www.darkreading.com/attacks-breaches/ta505-targets-hr-departments-with-poisoned-cvs-/d/d-id/1337355?&web_view=true
