Researchers at Positive Technologies have been tracking the Russian Speaking threat group tracked as TA505 and throughout their research, have been able to identify that a shift has been seen in their techniques. Once known specifically as being a finically-motivated group, it appears that they have been adding malware to their arsenal that would suggest they are starting to target intellectual property. Previously the group was known to use the Dridex banking trojan, Neutrino Botnet and Locky, Jaff, and GlobeImposter ransomware. Most recently, the group used the FlawedAmmyy and the newer ServHelper backdoor. The group has targeted dozens of different entities in over 64 countries around the world. It has been identified that the group is using the same network as Buhtrap, which could point to the two groups working together, but that cannot be confirmed.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased