Russian TA505 threat actor target financial entities worldwide

guest · Apr 18, 2019

Russian TA505 threat actor target financial entities worldwide
April 17, 2019
https://securityaffairs.co/wordpress/84072/hacking/russian-ta505-financial-attacks.html

Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the United States and worldwide.

“CyberInt researchers have been tracking various activities following the spear-phishing campaign targeting large US-based retailers detected in December 2018.” reads the analysis published by Cyberint. “The research focused on scenarios with the same tactics, techniques and procedures (TTP) along with the repeated nefarious use of a ‘legitimate’ remote administration tool ‘Remote Manipulator System’ (RMS), developed by a Russianbased company ‘TektonIT’.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.
Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.
Click to expand...

Cyberint: "Legit Remote Admin Tools turn into Thread Actor Tools – TA505 and other Threat Actors targeting US retailers and financial organizations in Europe, APAC and LATAM" (PDF - 2.16 MB):

https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf

guest · Apr 25, 2019

TA505 hackers thwarted at the door of a big financial org
April 24, 2019
https://www.cyberscoop.com/ta505-hack-stopped-cybereason-locky-ransomware/

A failed attempt to breach a big financial institution is providing new data on a global criminal hacking group known for authoring the widely-used Locky ransomware.
The fresh threat intelligence from the breach attempt includes a revamped backdoor and an example of how the hackers are signing their malicious code using a legitimate certificate – a hallmark of advanced groups looking to avoid detection.

“[T]he malware was signed mere hours prior to the attack – an indication of the operation’s deliberate timeline and nature,” Salem wrote in research Cybereason will publish Thursday. [...] but that the malware was blocked “before any damage was done.”
The attackers were “living off the land” according to Cybereason, using binary tools in a stealthy effort to deploy their malware.

“In an arena where groups seldom last for more than a year or two, TA505 has managed to adapt and change and continue to find success,” Liska added.
Click to expand...

Cybereason: Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware

guest · May 16, 2019

The Stealthy Email Stealer in the TA505 Arsenal
May 16, 2019
https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/

During the last month our Threat Intelligence surveillance team spotted increasing evidence of an operation intensification against the Banking sector.
Just after the opening of malicious documents and the installation of FlawedAmmy RAT implants, the group used to deploy a particular credential stealing software, part of their arsenal, revealing details of their recent operation.

Dynamically executing the malware, more information about its behaviour is revealed. The malicious executable is substantially an email stealer, in fact, the only purpose is to retrieve all the emails and passwords accounts present inside the victim machine. After executing the information gathering routine, the malware sends to its C2 all the retrieved emails and passwords
Conclusion
Nowadays, the email accounts are an effective source of revenue for the cyber criminals. In fact all these information can be used to spread other malware through phishing campaigns, to perform BEC attacks (Business Email Compromise) and also to try credential stuffing attacks.
Click to expand...

Campaign against plenty of banks. Pushing signed executable(s).
https://twitter.com/sS55752750/status/1126484666016509952
Click to expand...

guest · May 31, 2019

Russian Threat Group TA505 Is Out Phishing: Hijacks Legitimate Remote Access Tools
May 20, 2019
https://blog.cyberint.com/threat-group-ta505-phishing-hijacks-remote-access-tools

Recently, we have observed a surge in TTPs utilizing legitimate remote access tools that bring a new level of sophistication to phishing campaigns targeting large retailers and financial companies.

The attack starts with a spear phishing email masquerading as a legitimate communication sent from a Ricoh printer. The email includes an attachment in Microsoft Word format that contains a malicious macro. Once activated, the macro prompts a payload from the attacker's command and control server. At the final stage, the RMS RAT is installed on the victim’s machine.
This attack is unique in that each intended target receives a highly personalized attachment, a technique that until now was quite unusual and difficult to implement at scale.
TA505 Goes After the Financial Industry
In another attack, TA505 employed the Remote Manipulator System (RMS) backdoor to target financial institutions across the world - Chile, India, Italy, Malawi, Pakistan, and South Korea, as well as retailers in the United States.
In a similar manner, the attack starts with a highly targeted payment related email that contains a Microsoft Excel spreadsheet. The attachment spawns a Microsoft Windows Installer, prompting a download of an additional payload from a threat actor’s command and control server.
Click to expand...

Minimalist · Jul 3, 2019

This hacking gang just switched its malware attacks to a new target

One of the world's most successful cybercriminal groups has altered its tactics and also distributing a new form of malware as part of its latest campaign, which this time targets bank and financial services employees in the US, the United Arab Emirates and Singapore.
Click to expand...

https://www.zdnet.com/article/this-hacking-gang-just-switched-its-malware-attacks-to-a-new-target/

guest · Oct 3, 2019

Positive Technologies: TA505 rising to become world's most dangerous cybercriminal group
With attacks on dozens of targets in 64 countries in a six-month period, TA505 now threatens more than just financial companies
October 3, 2019
https://www.ptsecurity.com/ww-en/ab...me-worlds-most-dangerous-cybercriminal-group/

The group uses phishing emails to penetrate the networks of its victims. Each new wave of attacks reflects qualitative changes in the group's toolkit.

TA505 is one of only a few long-lived active cybercriminal groups. Since 2014, their arsenal has included the Dridex banking Trojan, Neutrino botnet, and ransomware such as Locky, Jaff, and GlobeImposter. The group has used the FlawedAmmyy remote access tool since 2018 and, since late last year, the new ServHelper backdoor as well.

Alexey Novikov, Director of the Positive Technologies Expert Security Center, said: "Usually, the group attacks where they think they can steal money. But recently they have started eyeing intellectual property that can be monetized. This explains the new industries in their sights. [...]"
Besides finance and government, targets of TA505 in 2019 have included research institutes and companies in energy, aviation, healthcare, and other sectors.
Click to expand...

guest · Oct 16, 2019

New SDBot Remote Access Trojan Used in TA505 Malspam Campaigns
October 16, 2019
https://www.bleepingcomputer.com/ne...ccess-trojan-used-in-ta505-malspam-campaigns/

Researchers discovered two new malware strains distributed via phishing campaigns carried out by the TA505 hacking group during the last two months, a new downloader dubbed Get2 and an undocumented remote access Trojan (RAT) named SDBbot.
Malspam campaigns directed at new targets
In early September, Proofpoint observed tens of thousands of phishing emails part of a new TA505 campaign delivering Microsoft Excel attachments to English and Greek-speaking targets from financial institutions [...]
The first major change came on October 7 when the attackers started using links generated using URL shorteners routing their targets to landing pages that requested them to download malicious Excel sheets with request.xls file names.

This campaign also used the Get2 loader as the first stage payload but it also started delivering the new SDBot RAT malware to "companies from various industries primarily in the United States."
Click to expand...

New second-stage RAT payloads
SDBot uses application shimming for persistence, a technique that "can be used to Bypass User Account Control (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress)."
This, in turn, makes it possible for attackers to elevate privileges for malicious processes, to install backdoors on infected systems, as well as to disable anti-malware solutions Windows Defender.

This new RAT malware "has some typical RAT functionality such as command shell, video recording of the screen, remote desktop, port forwarding, and file system access," and it uses plain text for storing command and control (C2) server information, as well as for communicating over TCP port 443.
Click to expand...

Proofpoint: TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader

guest · Jan 31, 2020

Microsoft Detects New TA505 Malware Attacks After Short Break
January 30, 2020
https://www.bleepingcomputer.com/ne...-new-ta505-malware-attacks-after-short-break/

Microsoft says that an ongoing TA505 phishing campaign is using attachments featuring HTML redirectors for delivering malicious Excel documents, this being the first time the threat actors have been seen adopting this technique.

TA505 (also tracked SectorJ04) is a financially motivated cybercrime group active since at least Q3 2014 [1, 2] known for focusing on attacks against retail companies and financial institutions via large-sized malicious spam campaigns driven by the Necurs botnet.

This threat actor distributed remote access Trojans (RATs) and malware downloaders that delivered the Dridex and Trick banking Trojans as secondary payloads, as well as Locky, BitPaymer, Philadelphia, GlobeImposter, Jaff ransomware strains on their targets' computers. [1, 2]
Click to expand...

Kafeine from ProofPoint told BleepingComputer that the switch to HTML attachments occurred in the middle of January 2020.
TA505 back from vacation
"The new campaign uses HTML redirectors attached to emails. When opened, the HTML leads to the download a malicious macro-laden Excel file that drops the payload," Microsoft Security Intelligence's researchers explain. "In contrast, past Dudear email campaigns carried the malware as an attachment or used malicious URLs."

The victims are instructed to open the Excel document on their computer as online previewing is not available and to enable editing to get access to its contents.
Click to expand...

Minimalist · Feb 28, 2020

TA505 hacking crew spent much of 2019 trying to breach South Korea's financial sector

A gang of hackers with a long history of financially motivated attacks increased its targeting of businesses in South Korea last year, using a combination of malicious attachments and ransomware to haunt victims, according to new findings.
Click to expand...

https://www.cyberscoop.com/ta505-south-korea-bank-phishing/

guest · Mar 3, 2020

Cyberthreat Intelligence Report: Profiling of TA505 Threat Group
February 28, 2020
https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do

Profiling of TA505 Threat Group
That Continues to Attack the Financial Sector
(Follow the Trail of TA505)

Based on the information gathered by the Financial Security Institute for about a year, this report contains the TA505 threat group's tactics, techniques, procedures and recent trends.
* TA505(Threat Actor 505) : The threat group that has attacked foreign financial institutions by using malwares, ransomwares and remote-controlled malwares since 2014.
Click to expand...

[FSI Intelligence Report]TA505 Threat Group Profiling_En.pdf (PDF - 8.11 MB): https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do
[FSI Intelligence Report]TA505 Threat Group Profiling(Abridged)_En.pdf (PDF - 1.78 MB): https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2298.do

guest · Apr 14, 2020

TA505 Crime Gang Deploys SDBbot for Corporate Network Takeover
The custom RAT offers persistent access, data exfiltration and lateral network movement
April 14, 2020
https://threatpost.com/ta505-crime-gang-sdbbot-corporate-network-takeover/154779/

The TA505 cybercrime group has ramped up its attacks lately, with a set of campaigns bent on spreading the persistent SDBbot remote-access trojan (RAT) laterally throughout an entire corporate environment, researchers said.

SDBbot RAT is a custom job that has been observed in TA505 attacks since at least September 2019; it offers remote-access capabilities and has a few spyware aspects, including the ability to exfiltrate data from the victimized devices and networks.

“SDBbot has the ability to perform typical RAT functions, such as communicating with command-and-control servers (C2s), receiving commands and obtaining system information,” according to Melissa Frydrych, researcher with IBM X-Force Incident Response and Intelligence Services (IRIS), writing in an analysis posted Tuesday on the campaign.
In one set of recent campaigns extensively analyzed by IBM X-Force targeted emails were sent to enterprise employees in Europe. The malicious emails purported to be messages coming from the HR department via Onehub, which is a legitimate, cloud-based file-sharing application for businesses.
Click to expand...

The Infection Routine
If an employee was duped into opening the document, it executed a code tasked with establishing a persistence mechanism and the malicious password harvester, according to the researcher.

“In this instance, once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files,” Frydrych wrote in the analysis.
“If regular user privileges are running, the installer component will establish persistence using the registry Run and execute [the next stage],” Frydrych said.
In the campaign, TA505 used the initially compromised system to escalate privileges and move laterally across additional systems on the network using the AD credentials harvested earlier, according to the researcher.
Click to expand...

IBM X-Force: TA505 Continues to Infect Networks With SDBbot RAT

guest · Oct 17, 2021

Russia-Linked TA505 targets financial institutions in a new malspam campaign
October 16, 2021
https://securityaffairs.co/wordpress/123441/breaking-news/ta505-mirrorblast-malspam-campaign.html

Russia-linked APT group TA505 (e.g. Evil Corp) is leveraging a lightweight Office file in a new malware campaign, tracked as MirrorBlast, targeting financial institutions in multiple geographies.

In September, researchers from Morphisec observed a malspam campaign delivering weaponized Excel documents and targeting multiple sectors from several countries, including Canada, the United States, Hong Kong, and Europe.
The MirrorBlast campaign is similar to another activity in April 2021, the attack chain is compatible with tactics, techniques, and procedures commonly associated with the TA505 group.
Click to expand...

The infection chain starts with an email attachment document, but researches also observed threat actors using the Google feedproxy URL with SharePoint and OneDrive lure, which poses as a file share request.
Experts noticed that the Excel document is weaponized with an extremely lightweight macro code.

“TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals. This new attack chain for MirrorBlast is no exception for TA505 or for other innovative threat groups.” concludes the report.
“The ability of the MirrorBlast attack to have very low detections in VirusTotal is also indicative of the focus most groups have on evading detection-centric solutions. Yet again, it is clear that the market’s reliance on detection and response leaves them open to more attacks than it resolves. A new way forward is needed.”
Click to expand...

Morphisec: Explosive New MirrorBlast Campaign Targets Financial Companies

KEY POINTS:

Morphisec Labs tracked a new MirrorBlast campaign targeting financial services organizations

MirrorBlast is delivered via a phishing email that contains malicious links which download a weaponized Excel document

MirrorBlast has low detections on VirusTotal due to the extremely lightweight macro embedded in its Excel files, making it particularly dangerous for organizations that depend on detection-based security and sandboxing

Click to expand...

guest · Oct 19, 2021

TA505 Gang Is Back With Newly Polished FlawedGrace RAT
October 19, 2021
https://threatpost.com/ta505-retooled-flawedgrace-rat/175559/

The TA505 cybercrime group is whirring its financial rip-off machinery back up, pelting malware at a range of industries in what was initially low-volume waves that researchers saw spiral up late last month.

“Tracking TA505 is one of life’s guilty little pleasures,” she admitted. “They are a trailblazer in the world of cybercrime, regularly changing up their [tactics, techniques and procedures, or TTPs].”
TA505, aka Hive0065, is a gang of cybercrooks involved in both financial swindles and state-sponsored actions. Proofpoint researchers describe the group as being “one of the more prolific actors” that they track.
Click to expand...

The most recent bout of campaigns is reminiscent of TA505’s activity from 2019 and 2020, but “it doesn’t lack for some intriguing, new elements,” DeGrippo said, including spiffed-up tools and exotic languages. “In addition to updating [the FlawedGrace remote-access trojan, or RAT], they also overhauled their intermediate loader stages, replacing trusty Get2 with several new downloaders that are coded in unusual scripting languages,” she noted.
Retooling to Re-Attack
True to form, the gang’s latest campaigns are distributed across a wide range of industries. They’re also showing up with new gear, including an upgraded KiXtart loader, the MirrorBlast loader that downloads Rebol script stagers, the retooled FlawedGrace RAT, and updated malicious Excel attachments.
Click to expand...

They predicted that the future probably holds yet more novelty from the ever-shifting tricksters, Proofpoint researchers said:

“[We] expect TA505 to continue to adjust its operations and methods always with an eye to financial gain. Using intermediate loaders in its attack chain is also likely to become a longer-term technique employed by the threat actor.”
Click to expand...

Proofpoint: Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant

Key Takeaways

The prominent TA505 has returned to distributing large volumes of malicious emails affecting most industries.

New tools include a KiXtart Loader, the MirrorBlast loader, an updated FlawedGrace variant, and updated malicious Excel attachments.

One of the region-specific campaigns targeted German-speaking countries, notably Germany and Austria.

The campaigns share many similarities with TA505 campaigns from 2019 and 2020.

Click to expand...

guest · Dec 6, 2021

TA505 Seen Using P2P RAT in New Operations
December 1, 2021

A threat group known for deploying the Clop ransomware and Dridex trojan is now using a unique remote administration tool that can communicate directly with other compromised hosts via a peer-to-peer network.

Researchers at NCC Group have been tracking the activity from a group known as TA505 for several months and they’ve discovered at least three distinct networks of infected machines. The RAT that the group is deploying bears some resemblance to other tools that TA505 uses, such as a similar programming style to a tool known as Grace that the group has deployed for several years.
Click to expand...

TA505 is a venerable group and, like many other cybercrime groups, it has shifted tactics many times over the years in order to keep ahead of defenders and maximize profits.

“However in 2017 TA505 went on their own path and specifically in 2018 executed a large number of attacks using the tool called ‘Grace’, also known publicly as ‘FlawedGrace’ and ‘GraceWire’. The victims were mostly financial institutions and a large number of the victims were located in Africa, South Asia, and South East Asia with confirmed fraudulent wire transactions and card data theft originating from victims of TA505,” a report by Nikolaos Pantazopoulos and Michael Sandee of NCC Group says.
Click to expand...

The new RAT that NCC Group discovered is relatively simple and includes three individual components: a loader, a signed driver, and a tool that performs the communication with other nodes on the network. Once the downloader is on a new machine, it checks the operating system version and then contacts the remote command-and-control server and downloads several other files, including the P2P binary itself, some drivers, and lists of processes, drivers, services, registry keys, and files to filter.

NCC Group didn’t specify where the targets of the new RAT are, but TA505 has been known to target a wide range of organizations around the world in past operations.
Click to expand...

NCC Group: Tracking a P2P network related to TA505

During this research we encountered a number of binary files that we have attributed to the developer(s) of ‘Grace’ (i.e. FlawedGrace). These included a remote administration tool (RAT) used exclusively by TA505. The identified binary files are capable of communicating with each other through a peer-to-peer (P2P) network via UDP. While there does not appear to be a direct interaction between the identified samples and a host infected by ‘Grace’, we believe with medium to high confidence that there is a connection to the developer(s) of ‘Grace’ and the identified binaries.
Click to expand...

In summary, we found the following:

P2P binary files, which are downloaded along with other Necurs components (signed drivers, block lists)

P2P binary files, which transfer certain information (records) between nodes

Based on the network IDs of the identified samples, there seem to be at least three different networks running

The programming style and dropped file formats match the development standards of ‘Grace’

Click to expand...

Log in or Sign up

Russian TA505 threat actor target financial entities worldwide

guest Guest

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Russian TA505 threat actor target financial entities worldwide

guest Guest

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches