loader gif

TA505 Threat Actor Group Spotted Distributing New RAT Dubbed ‘sdbbot’ Via Get2 Downloader

access,account,breach,burglary,computer,crime,criminal,cyber,damage,danger,data,desk,down,download,electronic,fraud,hack,hacker,hacking,high,hood,identity,internet,jacket,laptop,man,multiple,multitasking,online,people,person,personal,piracy,pirate,programmer,robber,robbery,secure,security,sitting,spy,stealing,table,technology,theft,thief,top,typing,view,wireless
  • Researchers tracked the TA505 group using Get2 as their initial downloader and found out that the downloader downloads FlawedGrace, FlawedAmmyy, and Snatch as secondary payloads along with the new SDBbot RAT.
  • The threat group also employs new Microsoft Office macros along with the Get2 downloader.

What’s new?

Researchers from Proofpoint have observed that the Russian threat actor group ‘TA505’ distributes a new Remote Access Trojan dubbed ‘SDBbot’ via the Get2 downloader.

Key Highlights

Proofpoint researchers tracked the TA505 group using Get2 as their initial downloader and found out that the loader downloads FlawedGrace, FlawedAmmyy, and Snatch as secondary payloads along with the new SDBbot RAT.

  • TA505 continues to target financial institutions across Greece, Germany, and Georgia.
  • The threat group also employs new Microsoft Office macros along with the Get2 downloader.
  • The new Get2 loader works in conjunction with a new Microsoft Excel macro, with the downloader being embedded into the Microsoft Excel file as an image.
  • A separate loader DLL is used to execute the SDBbot RAT payload.
  • Researchers also observed that the threat group distributes malspam emails containing URL shortener links.

Recent campaigns

Researchers have observed three new campaigns between September 9, 2019, and October 7, 2019.

  • First campaign - The first campaign was observed on September 09, 2019, that delivered Microsoft Excel attachments disguised as invoice and business documents with English and Greek lures. This campaign was targeted against financial institutions in Greece, Singapore, United Arab Emirates, Georgia, Sweden, Lithuania, and a few other countries.
  • Second Campaign - Researchers observed the second campaign on September 20, 2019. This campaign distributed Microsoft Excel and .ISO attachments that were written in English and French. This campaign was targeted against companies in the United States and Canada. In this campaign, the Get2 downloader downloaded FlawedGrace.
  • Third Campaign - The third campaign was spotted on October 07, 2019. This campaign included URL shortener links for redirecting victims to a landing page that in turn links to an Excel sheet. This campaign targeted companies from various industries primarily in the United States. In this campaign, the Get2 downloader downloaded the new SDBbot RAT.

“With this recently observed October 2019 push by TA505 with attacks on a wide range of verticals and regions, the actor’s usual “follow the money” behavioral pattern remains consistent. The new Get2 downloader, when combined with the SDBbot as its payload appears to be TA505’s latest trick (or treat) for the Fall of 2019,” researchers said.

loader gif