TA505 Returns From Hiatus - Binary Defense

Threat Watch

Share on facebook
Share on twitter
Share on linkedin

TA505 Returns From Hiatus

TA505: Researchers from Microsoft have seen the threat group TA505 return from a short break of no activity. Since 2014, the financially motivated threat group has been notorious for spreading remote access trojans (RAT) to compromise retailers and large financial intuitions. The group has infected computers to drop trojans such as Tick and Dridex, as well as other common malware such as Locky, BitPaymer, Philadelphia, GlobeImposter and Jaff ransomware. In their newest campaign, the group used HTML redirectors attached to an email. When opened, the HTML file leads the victim to download an Excel file. The Excel file contains malicious macros that install Dudear malware. This campaign by the group shows how they have adapted and changed techniques in an attempt to evade detection. Past email campaigns to deliver Dudear would do so via an attachment or malicious URL. Sending an HTML file to automatically download the malicious document evades email threat scanners while making it easier for victims to fall prey to the malware by opening a seemingly harmless attachment. Different HTML files are being used in different languages so that these attackers are able to target victims all over the world. The malware also attempts to drop the FlawedGrace RAT after it has been executed. 

ANALYST NOTES

It is important for defenders to understand when threat groups change their tactics to try to evade detections, detection rules must be adapted. It is important to tune email threat filters to detect this type of threat coming from the outside. The HTML files used in this campaign included JavaScript using the “setTimeout” function to set the window location to a download URL hosted on the domain one-drive-storage[.]com. It is also important to have monitoring in place on the network and on endpoints to quickly find and stop intrusions before they spread. Indicators of Compromise (IOC) from Microsoft’s Twitter can be found here: 7150337 For more information: https://www.bleepingcomputer.com/news/security/microsoft-detects-new-ta505-malware-attacks-after-short-break/

Contact Support

Please complete the form below and a member of our support team will respond as quickly as possible.