TA505: Researchers from Microsoft have seen the threat group TA505 return from a short break of no activity. Since 2014, the financially motivated threat group has been notorious for spreading remote access trojans (RAT) to compromise retailers and large financial intuitions. The group has infected computers to drop trojans such as Tick and Dridex, as well as other common malware such as Locky, BitPaymer, Philadelphia, GlobeImposter and Jaff ransomware. In their newest campaign, the group used HTML redirectors attached to an email. When opened, the HTML file leads the victim to download an Excel file. The Excel file contains malicious macros that install Dudear malware. This campaign by the group shows how they have adapted and changed techniques in an attempt to evade detection. Past email campaigns to deliver Dudear would do so via an attachment or malicious URL. Sending an HTML file to automatically download the malicious document evades email threat scanners while making it easier for victims to fall prey to the malware by opening a seemingly harmless attachment. Different HTML files are being used in different languages so that these attackers are able to target victims all over the world. The malware also attempts to drop the FlawedGrace RAT after it has been executed.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is