TA505: Previously reported, TA505 was seen using the Dridex banking trojan, Neutrino Botnet and Locky, Jaff, and GlobeImposter ransomware. The group was also seen using the FlawedAmmyy and the newer ServHelper backdoor. Now, the group appears to be using SDBbot Remote Access trojan (RAT) and GET2 Downloader. The group has been sending a phishing email to their targets with malicious Microsoft Excel files included in them, using the English and French languages to target people. In the most recent attack wave, the group has shifted to just targeting English speakers and has also removed the Excel attachment from the file, likely trying to avoid detections. The phishing email now has a shortened URL included in it that would take the victim to the malicious document that the group is trying to get their victims to download to deliver the RAT. In this campaign, it was witnessed by researchers at Proofpoint that Get2 was being executed to download the SDBbot for the first time. Get2 works with the Excel file through a new Macro. Get2 is embedded in the document as an object, which can be found as an image icon scrolling through the document. It then gets extracted by the micro by the spreadsheet getting copied into the %TEMP% directory. The embedded object xl\embeddings\oleObject1[.]bin inside the spreadsheet is copied into the %TEMP% directory. The DLL (Dynamic Link Library) inside the oleobject1[.]bin is extracted and copied into %APPDATA% by the ReadAndWriteExtractedBinFile function. Then the DLL will be loaded with LoadLibraryA and the DLL’s exported function, in this case, Get2, is run by the macro. Get2 is a C++ malware that has been being used by TA505 in their recent campaigns. The downloader collects basic system information and sends it via an HTTP POST request to a hardcoded command and control server. The POST data includes information such as the computer name, hostname, Windows version and a delimited process list. SDBbot is also written in C++ and is delivered by Get2 from TA505. The name comes from the debugging log file sdb[.]log[.]txt and DLL name BotDLL[.]dll that was used in the initial analyzed sample. The installer stores the RAT in the registry and established persistent for the loader component. The RAT component named BotDLL[.]dll has typical RAT functionality such as command shell, video screen recording, remote desktop, port forwarding, and file system access. The command and control servers for the Rat were stored in plain text, which made it rather easy for the researchers to identify them and look at them. After system information is sent to the command and control server, the server responds with a command DWORD. Depending on the command, the server will then send additional arguments and some of the commands, primarily the shell one, and make use of a 48-byte data structure to store various data. There are also other commands which create, delete, and query stats of these data structures.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.