TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy

mood · Aug 27, 2019

TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
August 27, 2019
https://blog.trendmicro.com/trendla...ty-is-the-spice-of-servhelper-and-flawedammyy

Despite the changes, TA505 continues to use either FlawedAmmyy RAT (remote access trojan) or ServHelper as payloads. However, over the last nine campaigns since our June report, they also started using .ISO image attachments as the point of entry, as well as a .NET downloader, a new style for macro delivery, a newer version of ServHelper, and a .DLL variant of FlawedAmmyy downloader.
.ISO, enabled macros for entry dropping ServHelper or FlawedAmmyy
We noticed that the group became active again in the middle of July, targeting Turkish and Serbian banks with emails that had .ISO file attachments as a means of entry. While the method is not new, the change in file type may yield successful infections given the unusual malware delivery technique.

The changes and adjustments that TA505 made from the original ServHelper and FlawedAmmyy routines may indicate that the group is experimenting and testing to determine which forms of obfuscation can bypass detections, resulting in more financial returns.
As they continue to target businesses in different sectors, we can expect TA505 to keep using phishing and social engineering techniques to compromise systems.
Click to expand...

Log in or Sign up

TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy

mood Updates Team

ZLoader Loads Again: New ZLoader Variant Returns

What’s Dead May Never Die: AZORult Infostealer Decommissioned Again

Log in or Sign up

TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy

mood Updates Team

ZLoader Loads Again: New ZLoader Variant Returns

What’s Dead May Never Die: AZORult Infostealer Decommissioned Again

Useful Searches