TA505 threat group returns in new cyber-espionage campaign with new ServHelper and FlawedAmmyy variants

• The group has also expanded its operations in new countries such as Turkey, Serbia, Romania, Korea, Canada, the Czech Republic, and Hungary.
• TA505 has been observed using ISO image attachments to distribute a new version of ServHelper and a DLL variant of FlawedAmmyy RAT.

The notorious TA505 threat actor group continues to wreak as much havoc while maximizing their potential profits. The group has now been found using new variants of FlawedAmmyy RAT and ServHelper backdoor to infect organizations in their latest campaigns.

What are the variants?

According to researchers from Trend Micro, TA505 has been observed using ISO image attachments to distribute a new version of ServHelper and a DLL variant of FlawedAmmyy RAT.

Apart from this, the group has also expanded its operations in new countries such as Turkey, Serbia, Romania, Korea, Canada, the Czech Republic, and Hungary.

How did the campaign operate?

Researchers noticed that the group became active again in the middle of July, targeting Turkish and Serbian banks. They used malicious attachments to distribute ServHelper or FlawedAmmyy RAT variants.

Apart from Turkish banks, a similar campaign targeting Turkish educational and government institutions were also targeted using emails. These emails were distributed with subjects related to invoice information or personnel payroll, and Visual Basic for Applications (VBA) macros in XLS or DOC files.

The banks in Serbia were targeted through a phishing email with subjects pertaining to ‘payments’ or ‘ invoices’ These emails included Excel files which if opened, caused the macros to be enabled. These macros later downloaded a file created using NSIS installer with ServHelper from 79[.]141[.]168[.]105 or 195[.]123[.]213[.]126.

In another campaign, the threat actor group targeted thousands of Korean businesses using the same ISO attachment disguised it as a confirmed flight ticket from a popular airline. Here the ISO files contained either an LNK file or a .NET-compiled downloader.

For the campaign that targeted Romanian banks, emails were sent with the subject line “Fw: copie COC L5H3” and included an ISO image attachment.

New variant of FlawedAmmyy

In the first week of August, the new variant of FlawedAmmyy RAT was noticed in an operation targeting Canada. The TA505 group had sent emails with subjects asking for confirmation of numbers from the marketing department.

“The attached document asks the user to enable the macros, which creates an Internet Explorer object instance. This loads a text file from a hardcoded website, wherein the content of the document file is parsed through and the inner text of the document is loaded,” added researchers.

Around the second week of August, a campaign targeting banks in the Czech Republic used emails with subjects pertaining to credit and NAV transfer.

“Analysis of the samples revealed that the document and macro style was similar to the Korean campaign that used.MSI files, but this campaign downloads from hxxp://185[.]17[.]122[.]220/555.msi or hxxp://159[.]69[.]54[.]146/555.msi. This .MSI file delivers the NSIS-packed ServHelper, and the binary shares the same C&C server as the campaign targeting Saudi Arabia, Oman, Qatar, and Turkey,” added researchers.

Conclusion

Given the frequency of changes in routines and deployment of malware and attack techniques, security experts believe that TA505 is likely to come up with more methods for payload delivery and malware types.