TA505: The Russian speaking threat actor TA505 spent most of the 2019 year targeting banks in South Korea according to the researchers from the Financial Security Institute. Utilizing malicious attachments and ransomware, TA505 carried out phishing campaigns against South Korean entities in the manufacturing, medical, and finance industries. Many of the emails in this campaign were sent on weekdays and included Excel documents that delivered the FlawedAmmyy Remote Access Trojan (RAT). This RAT gives the attacker control over the targeted machines without a victim’s knowledge. The threat actor also was seen using a malware dubbed Rapid, which is new to the threat actor. The malware was not seen in most of the malicious emails, and it is unclear to researchers why it was used. Researchers will likely monitor for any other instances of this malware to determine if it was a one-time usage or if the group was experimenting with the new malware.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased