TA505 hacker group found targeting US retail, restaurant and grocery chains in new campaign

• TA505 was found delivering various malware payloads, including the FlawedAmmyy RAT.
• Over the past few years, TA505 has evolved from delivering banking trojans and ransomware variants to distributing RATs and downloaders.

A new phishing campaign was discovered being operated by the TA505 hacker group. The group was found targeting retail, restaurant and grocery chains across the US. Unlike previous campaigns in which TA505 delivered either a ransomware or a banking trojan, in this campaign, the hacker group was found distributing the FlawedAmmyy RAT, as well as Remote Manipulator System (RMS), among others.

TA505 is a highly active threat actor group that has, over the past two years, changed tactics to maintain persistence. For instance, the threat group previously used to deliver Locky and Dridex. However, in recent campaigns, TA505 has switched to delivering remote access trojans (RATs) and malware downloaders.

Holiday cybercrime

According to the security researchers at Proofpoint, TA505 launched its latest campaign just in time for the holiday shopping season. The campaign, which was first discovered on December 3, has already pushed out thousands of messages.

The hackers sent out personalized attachments to each of their targets. This technique is new for TA505. The phishing email contains a scanned document, which in turn, contains a malicious Word document. The malicious document contains macros, which if enabled, allows hackers to install the Remote Manipulator System (RMS). Proofpoint researcher discovered that each of the malicious documents was created to be unique to the targeted company, and even contained a logo of the targeted firm.

Hackers following the money

“TA505 has helped shape the threat landscape for years, largely because of the massive volumes associated with their campaigns through the end of 2017,” Proofpoint researchers said in a blog. “When this group changes tactics, it tends to correspond to broader shifts and, throughout the year, we have seen both TA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking Trojans, often in smaller, more targeted campaigns.”

With the holidays right at our doorsteps, cybercriminals are likely to ramp up attacks. TA505 is likely targeting the retail and restaurant industries for this reason - attempting to take advantage of the holiday shopping season to steal credentials and other valuable data. Users are recommended to be highly cautious when shopping line and be on the lookout for phishing emails.