TA505: The Russian speaking threat actor TA505 spent most of the 2019 year targeting banks in South Korea according to the researchers from the Financial Security Institute. Utilizing malicious attachments and ransomware, TA505 carried out phishing campaigns against South Korean entities in the manufacturing, medical, and finance industries. Many of the emails in this campaign were sent on weekdays and included Excel documents that delivered the FlawedAmmyy Remote Access Trojan (RAT). This RAT gives the attacker control over the targeted machines without a victim’s knowledge. The threat actor also was seen using a malware dubbed Rapid, which is new to the threat actor. The malware was not seen in most of the malicious emails, and it is unclear to researchers why it was used. Researchers will likely monitor for any other instances of this malware to determine if it was a one-time usage or if the group was experimenting with the new malware.
Analyst Notes
TA505 has been linked to the FIN7 threat actor in the past, but these groups are commonly mistaken for each other when analyzing attack campaigns. It is important to note that attack attribution can never be 100% accurate. Always ensuring that employees are trained to recognize phishing emails is one important step to prevent these attacks from being successful. Because it can be difficult for employees to always spot threats in attached documents and Excel files, it is also important to scan incoming emails for threats and closely monitor employee workstations using an Endpoint Detection and Response (EDR) solution for signs of potential attacker activity. Although this report focused on threats to South Korean companies, attacks from TA505 have targeted organizations all over the world.
More information can be found here: https://www.cyberscoop.com/ta505-south-korea-bank-phishing/
