Threat Watch

TA505 Using SDBbot Remote Access Trojan with get2 Downloader

TA505: Previously reported, TA505 was seen using the Dridex banking trojan, Neutrino Botnet and Locky, Jaff, and GlobeImposter ransomware. The group was also seen using the FlawedAmmyy and the newer ServHelper backdoor. Now, the group appears to be using SDBbot Remote Access trojan (RAT) and GET2 Downloader. The group has been sending a phishing email to their targets with malicious Microsoft Excel files included in them, using the English and French languages to target people. In the most recent attack wave, the group has shifted to just targeting English speakers and has also removed the Excel attachment from the file, likely trying to avoid detections. The phishing email now has a shortened URL included in it that would take the victim to the malicious document that the group is trying to get their victims to download to deliver the RAT. In this campaign, it was witnessed by researchers at Proofpoint that Get2 was being executed to download the SDBbot for the first time. Get2 works with the Excel file through a new Macro. Get2 is embedded in the document as an object, which can be found as an image icon scrolling through the document. It then gets extracted by the micro by the spreadsheet getting copied into the %TEMP% directory. The embedded object xl\embeddings\oleObject1[.]bin inside the spreadsheet is copied into the %TEMP% directory. The DLL (Dynamic Link Library) inside the oleobject1[.]bin is extracted and copied into %APPDATA% by the ReadAndWriteExtractedBinFile function. Then the DLL will be loaded with LoadLibraryA and the DLL’s exported function, in this case, Get2, is run by the macro. Get2 is a C++ malware that has been being used by TA505 in their recent campaigns. The downloader collects basic system information and sends it via an HTTP POST request to a hardcoded command and control server. The POST data includes information such as the computer name, hostname, Windows version and a delimited process list. SDBbot is also written in C++ and is delivered by Get2 from TA505. The name comes from the debugging log file sdb[.]log[.]txt and DLL name BotDLL[.]dll that was used in the initial analyzed sample. The installer stores the RAT in the registry and established persistent for the loader component. The RAT component named BotDLL[.]dll has typical RAT functionality such as command shell, video screen recording, remote desktop, port forwarding, and file system access. The command and control servers for the Rat were stored in plain text, which made it rather easy for the researchers to identify them and look at them. After system information is sent to the command and control server, the server responds with a command DWORD. Depending on the command, the server will then send additional arguments and some of the commands, primarily the shell one, and make use of a 48-byte data structure to store various data. There are also other commands which create, delete, and query stats of these data structures.


The recent changes in malware delivery are likely attempts to evade detection by automated security tools. Email scanning services must be capable of detecting malicious URLs in both the email body and any attached documents. Malicious Office documents that use Object Linking and Embedding (OLE) objects require the targeted person to double-click an image in the document to activate the malware. This can evade automated sandbox analysis of files if the sandbox testing solution does not double-click the OLE object. For defenders, it is important to ensure that sandbox solutions also perform static checks of Office document files for OLE objects with embedded scripts and alert on detection. This group has been shaping the threat landscape for years. Because of the large volume that this group has been able to target and infect during their activity, they are one of the more well-known threat groups. In this most recent wave of attacks, the group is targeting a wide range of industry verticals and have been consistent in their pursuit to “follow the money.” Binary Defense analysts are closely monitoring TA505 tactics and malware to constantly develop new detections and allow our Security Operations Center (SOC) analysts to stop these attacks quickly.