A deep insight into the prolific TA505 Threat Actor Group’s massive campaigns
- The TA505 threat actor group is believed to be behind the Dridex banking trojan, FlawedAmmyy RAT, FlawedGrace malware, tRAT, RMS RAT, GlobeImposter ransomware, Trickbot, and Locky ransomware.
- TA505 threat actor group is responsible for various large-scale malspam attacks since 2014.
The TA5050 threat actor group is active since 2014 and has been observed distributing Dridex banking trojan, GlobeImposter ransomware, Trickbot, and Locky ransomware over the past 4 years until 2018.
In 2018, the threat actor group was spotted distributing various remote access trojans such as FlawedAmmy, FlawedGrace, tRAT, and RMS RAT. The threat actor group is responsible for various large-scale malspam attacks and relies heavily on Necurs botnet to propagate.
TA505 distributing Locky and Trickbot
In September 2017, The threat actor group was spotted primarily distributing Locky ransomware. A month later, the hacker group started distributing both Locky as well as Trickbot, depending on victims’ geolocation
For instance, victims in the UK, Ireland, Luxembourg, Belgium, and Australia were targeted with the Trickbot campaign while the rest of the countries were targeted with Locky ransomware.
Through November 9, 2017, TA505 distributed various campaigns, sometimes two per day, primarily distributing the Locky ransomware.
TA505 distributing GlobeImposter, Dridex, and DreamSmasher
In December 2017, the prolific TA505 threat actor group launched a massive 34 campaigns. Of the 34 campaigns, 24 campaigns distributed the GlobeImposter ransomware, while the rest distributed various malware such as Trickbot, Dridex and DreamSmasher.
TA505 distributing FlawedAmmy RAT
On March 5 and 6, 2018, a massive phishing email campaign was spotted distributing the FlawedAmmy RAT as payload. The phishing emails contained a zipped malicious Url attachment. The message and the delivery of the email campaign revealed that it has been distributed by the threat actor group TA505. Throughout March and April, the threat group was observed distributed the FlawedAmmy RAT.
In July 2018, a large phishing email campaign with hundreds of thousands of messages attempting to deliver a PDF attachment with an embedded SettingContent-ms file was observed. Once the PDF attachment is downloaded, Windows would then run the SettingContent-ms file and the PowerShell command contained within the ‘DeepLink’ element downloaded and executed the FlawedAmmyy RAT. TA505 threat actor group was behind this massive campaign.
TA505 distributing tRAt
In October 2018, the TA505 group was observed distributing the tRAT malware via phishing campaigns targeting financial institutions. Researchers observed two campaigns, one in September 2018 and the other campaign in October 2018.
Pied Piper phishing campaign distributing FlawedAmmyy and RMS RAT
In November 2018, TA505 distributed the FlawedAmmyy and Remote Manipulator (RMS) RAT via a phishing campaign dubbed Pied Piper. The Pied Piper campaign targeted food chains including Godiva Chocolates, Pinkberry, and Yogurtland.
The Pied Piper phishing campaign distributed Microsoft Office document attachments disguised as business invoices and tricked victims into enabling malicious macros that executed the infection. Once enabled, the macro installed a scheduled task that executed the next stage payload. The scheduled task then executed a PowerShell command that downloaded an MSI installer containing an executable file ‘MYEXE’. This file scans infected systems for Antivirus solutions and then downloads the final payload as a temp file.
TA505 group’s new campaign targeting US retail, restaurants, and grocery chain
TA505 threat actor group’s another phishing campaign was discovered on December 3, 2018. This campaign targeted retail, restaurant, and grocery chains across the US. In this campaign, the threat group distributed the FlawedAmmyy and the Remote Manipulator (RMS) RAT.
The phishing email contained a scanned document, which in turn, contained a malicious Word document. The malicious document contained macros, which if enabled, allowed attackers to install the Remote Manipulator System (RMS). Researchers observed that each of the malicious documents was created to be unique to the targeted company, and even contained the logo of the targeted firm.
TA505 latest campaign distributing ServHelper Backdoor and FlawedGrace RAT
On December 13, 2018, researchers observed TA505 hacker group’s latest campaign targeting retail and financial services. The campaign used two variants of ‘ServHelper’ backdoor and a ‘FlawedGrace’ remote access trojan.
The phishing emails contained a mixture of Microsoft Word attachments with embedded malicious macros, PDF attachments with URLs linking to a fake ‘Adobe PDF Plugin’ web page linking to the malware and direct URLs in the email body linking to a ServHelper executable. In this campaign, ServHelper downloads and executes the FlawedGrace malware.