TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy

guest · Aug 27, 2019

TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
August 27, 2019
https://blog.trendmicro.com/trendla...ty-is-the-spice-of-servhelper-and-flawedammyy

Despite the changes, TA505 continues to use either FlawedAmmyy RAT (remote access trojan) or ServHelper as payloads. However, over the last nine campaigns since our June report, they also started using .ISO image attachments as the point of entry, as well as a .NET downloader, a new style for macro delivery, a newer version of ServHelper, and a .DLL variant of FlawedAmmyy downloader.
.ISO, enabled macros for entry dropping ServHelper or FlawedAmmyy
We noticed that the group became active again in the middle of July, targeting Turkish and Serbian banks with emails that had .ISO file attachments as a means of entry. While the method is not new, the change in file type may yield successful infections given the unusual malware delivery technique.

The changes and adjustments that TA505 made from the original ServHelper and FlawedAmmyy routines may indicate that the group is experimenting and testing to determine which forms of obfuscation can bypass detections, resulting in more financial returns.
As they continue to target businesses in different sectors, we can expect TA505 to keep using phishing and social engineering techniques to compromise systems.
Click to expand...

guest · Aug 13, 2021

New TA505 Campaign Uses Signed Files to Drop ServHelper Malware
August 12, 2021
https://duo.com/decipher/new-ta505-campaign-uses-signed-files-to-drop-servhelper-malware

A long-established and successful cybercrime group known as TA505 has recently increased its activity and is using a variety of techniques and tools to install the ServHelper RAT on compromised systems, including piggybacking on other malware and using signed installers for other software.

TA505 has been around for several years and is known to use a wide range of malware and tools in its operations. The group has used Dridex, Trickbot and SDBot in the past, but the ServHelper RAT is the piece of malware most closely associated with its campaigns. Researchers from Cisco Talos have been tracking a recent uptick in ServHelper installations on compromised systems, some of which are from compromised websites.

“One path for infection starts with the compromise of a legitimate site that hosts cryptographically signed MSI installers. These install popular software such as Discord. However, they also launch a variant of the Raccoon stealer, which downloads and installs a ServHelper RAT if instructed by the command and control (C2) server,” Vanja Svajcer of Cisco Talos wrote in a new analysis of the activity.
Click to expand...

Cisco Talos: Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT

News summary

Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505's arsenal is ServHelper. In mid-June, Cisco Talos detected an increase in ServHelper's activity. We investigated the activity and discovered a set of intertwined malware families and TTPs.

We found that ServHelper is being installed onto the targeted systems using several different mechanisms, ranging from fake installers for popular software to using other malware families such as Raccoon and Amadey as the installation proxies.

This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably Scripting - T1064, PowerShell - T1059.001, Process Injection - T1055, Non-Standard Port - T1571, Remote Access Software - T1219, Input Capture - T1056, Obfuscated Files or Information - T1027, Ingress Tool Transfer - T1105, and Registry Run Keys/Startup Folder - T1547.001.

Click to expand...

guest · Sep 6, 2022

Experts discovered TeslaGun Panel used by TA505 to manage its ServHelper Backdoor
By Pierluigi Paganini - September 6, 2022

Researchers from cybersecurity firm PRODAFT have discovered a previously undocumented software control panel, tracked as TeslaGun, used by a cybercrime group known as TA505.

Russian TA505 hacking group, aka Evil Corp, has been active since 2014 focusing on Retail and banking sectors. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.
Click to expand...

Now PRODAFT experts state that the group has carried out mass phishing campaigns against at
least 8160 targets. Most of the victims are in the finance sector or individuals. TeslaGun victim data revealed that 3667 targets are in the US.

The financially-motivated group is known to have used multiple malware in its attacks, including FlawedAmmyy, the ServHelper backdoor and FlawedGrace malware.
Click to expand...

The ServHelper backdoor is written in Delphi and according to the experts, the development team continues to update it by implementing new features since 2019. Researchers pointed out that almost every new campaign used a new variant of the malware.

The TeslaGun control panel was used by the threat actors to manage the ServHelper backdoor, it acts as a C2 infrastructure allowing operators to issue commands.

The actors regularly migrate their proxy servers to new servers in the same datacenter to attain a low detection rate. During our investigation, we observed several TeslaGun management panels predominantly residing in MivoCloud SRL, Moldova” reads the report published by the experts. “The TeslaGun panel has a pragmatic, minimalist design. The main dashboard only contains infected victim data, a generic comment section for each victim, and several options for filtering victim records.”
Click to expand...

PRODAFT: [TA505] TA505 Group's TeslaGun In-Depth Analysis

TA505 is a financially motivated threat group that has been active since 2014. The group frequently changes its malware attack strategies in response to global cybercrime trends. It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on.

This report provides insight into how TA505 enables and manages these attacks through its ”TeslaGun” control panel. The PRODAFT Threat Intelligence (PTI) team identified the group’s control panel and used it to glean insight into how the organization works.
Click to expand...

Log in or Sign up

TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy

guest Guest

guest Guest

guest Guest

Log in or Sign up

TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy

guest Guest

guest Guest

guest Guest

Useful Searches