Overview Since November 15, 2018, Proofpoint began observing email campaigns from a specific actor targeting large retail chains, restaurant chains and grocery chains, as well as other organizations in the food and beverage industries. We attributed these campaigns to TA505, the actor behind the largest Dridex and Locky ransomware campaigns of the last two years and more recently associated with distribution of remote access Trojans (RATs) and downloaders. Campaign Details On December 3, 2018, we observed a TA505 campaign targeting almost exclusively retail, grocery, and restaurant chains. The document attached was unique to the targeted company, and even contained the targeted company’s logo in the document lure (blurred in the figure with a black box). Figure 1: Email used in attempts to deliver malicious document on December 3 The lure shown in Figure 2 continues the social engineering introduced in the email, enticing recipients to enable macros so that they can view the contents of the fake scanned document.