Cybercrime , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

TA505 APT Group Returns With New Techniques: Report

Group Using HTML Redirectors to Deliver Malware
TA505 APT Group Returns With New Techniques: Report

After a hiatus, TA505 - a sophisticated advanced persistent threat group that has targeted financial companies and retailers in several countries, including the U.S. - has returned with a campaign that uses HTML redirectors to deliver malicious Excel documents, according to Microsoft and other security researchers.

See Also: Live Webinar | Adversary Analysis of Ransomware Trends

This threat group is believed to have caused over $100 million in losses over the years, according to the U.S. Treasury Department, which published a report about the group in December when it issued sanctions against some of its members (see: Two Russians Indicted Over $100M Dridex Malware Thefts).

In a series of tweets, the Microsoft Security Intelligence team recently offered details about an ongoing TA505 phishing campaign. The new technique of using HTML redirectors in this latest campaign provides an additional obfuscation layer to the attack, according to Microsoft.

Ongoing Threat

TA505, which Microsoft refers also refers to as Dudear and Evil Corp, was first detected in 2014, according to a previous analysis. The group has targeted banks, financial institutions, retailers and other businesses in multiple countries, including the U.S., over the last six years.

The attack group, which is believed to be based in Russia, has been implicated in large-scale spam campaigns, and has distributed Trojans such as Dridex and The Trick as well as Locky and Jaff ransomware, according to Proofpoint, which published a detailed analysis of the group in 2017.

Over the years, TA505 has been known to deploy new techniques when it starts a new spam or phishing campaign. In April 2019, for instance, Cybereason published a report that found the group was using legitimately signed certificates to disguise malware that can penetrate banking networks (see: TA505 Group Hides Malware in Legitimate Certificates)

New Phishing Emails

In past attacks, TA5050 would deliver malware to a target's device using an attached document or a malicious link embedded in an email, according to the latest Microsoft report. But in its newest campaign, the HTML attachments automatically start downloading the malicious Excel file, which then drops a payload, according to the report.

"The new campaign uses HTML redirectors attached to emails," according to Microsoft. "When opened, the HTML leads to the download Dudear, a malicious macro-laden Excel file that drops the payload. In contrast, past Dudear email campaigns carried the malware as an attachment or used malicious URLs."

In its latest campaign, TA505 also uses HTML written in different languages, and the attackers deploy an IP trace-back service to track addresses of machines that download the malicious Excel file, according to Microsoft.

While the method of deploying the payload has changed, TA505 still attempts to deploy malware known as GraceWire, an info-stealing remote access Trojan or RAT, according to Microsoft.

The Reach of TA505

In the past, TA505 carried out attacks in North America, Asia, Africa and South America, targeting banks with backdoor malware to penetrate networks.

Security firm Prevailion has also published a new report that describes new activity associated with TA505. This report identifies more than 1,000 potential victims.

"During our analysis of this campaign, we were able to identify at least one U.S. based electrical company, a U.S. state government network, and one of the world’s largest 25 banks exhibiting evidence of compromise," Prevailion report.

TA505 is using a number of commercially available remote access Trojans, including one called FlawedAmmyy, researchers at Prevailion say.

Last August, researchers from security firm Group-IB found that both TA5050 and another group called Silence have used FlawedAmmyy Trojan (see: 'Silence' Gang Ramps Up Bank Assaults).

About the Author

Ishita Chigilli Palli

Ishita Chigilli Palli

Senior Correspondent, Global News Desk

As senior correspondent for Information Security Media Group's global news desk, Ishita covers news worldwide. She previously worked at Thomson Reuters, where she specialized in reporting breaking news stories on a variety of topics.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.