Prolific hacker group TA505 shifts gears with new, diverse malicious attachments and payloads

One of the most prolific hacker groups known as TA505, which is believed to been active since 2014, has significantly evolved over the past year. Security researchers believe that the group’s continuous attempts to incorporate changes showcases how modern-day threat actors are willing to adapt to growing changes in the cyber landscape.

TA505 is believed to be responsible for introducing both the Locky ransomware and the Dridex banking malware into the threat landscape. The group has also launched massive spam campaigns distributing the Trickbot malware, the Jaff ransomware, the Scarab ransomware as well as the GlobeImposter ransomware. The group relies heavily on the Necurs botnet to propagate its campaigns.

According to Proofpoint security researchers, who recently issued a report charting TA505’s evolution over the past couple of years, said the group was still primarily distributing Locky in September 2017.A month later, the group began distributing both Locky as well as Trickbot, depending on victims’ geolocation

For instance, victims in the UK, Ireland, Luxembourg, Belgium and Australia were targeted with the Trickbot campaign while the rest were targeted with Locky.

“Through November 9, TA505 distributed several such campaigns, sometimes two per day, largely distributing Locky,” security researchers at Proofpoint wrote in a blog. “Activity for the rest of November was light, featuring only five more campaigns using embedded Visual Basic scripts in Word documents or VB Script in 7-Zip attachments to distribute The Trick, Dridex, Scarab ransomware, and GlobeImposter ransomware.”

Ramping up campaigns

In December 2017, the highly active TA505 launched a whopping 34 campaigns - which according to Proofpoint researchers was “extremely active even by TA505 standards”. Of the 34 campaigns, 24 involved distributing the GlobeImposter ransomware, while the rest distributed various malware such as Trickbot, Dridex and DreamSmasher.

“TA505 has typically taken some time to resume full operations after the Russian Orthodox holidays. The group is also heavily reliant on the Necurs botnet for its massive campaigns and its operators of the botnet appear to have lost control of the botnet for much of January and February. However, in previous years, Necurs disruptions resulted in complete silence from TA505,” Proofpoint researchers noted. “This year, the group remained active, though campaign frequency and volume were a tiny fraction of their peaks in 2017 during this period.”

Shifting gears in 2018

In the beginning of the new year, the hacker group launched 2 pharmaceutical campaigns which was unusual for the group. The hackers also launched various other smaller campaigns, distributing GrandCrab, Dridex, DreamSmasher and Quant Loader. In March, the hackers once again began leveraging Necurs, launching several large campaigns.

Throughout March and April, TA505 distributed a remote access trojan (RAT) called FlawedAmmyy via the Quant Loader malware. According to Proofpoint researchers, the most recent campaign delivering FlawedAmmyy was detected on May 7. Although the hacker group’s volume of attacks remains low in comparison to their attacks in 2017, the hacker group is continuously experimenting with new techniques and shifting attack vectors.

Researchers believe that TA505’s willingness to constantly change vectors and experiment is the group’s attempt at avoiding detection and bypassing security measures.

“The group’s willingness to explore new vectors, payloads, sending infrastructure, and other malicious services like BlackTDS, even when they do not have access to the Necurs spam cannon, exemplifies the adaptability of modern threat actors,” Proofpoint researchers added.