Security experts at Proofpoint observed the notorious TA505 cybercrime group that has been using a new RAT dubbed SDBbot in recent attacks.
The TA505 group, that is known to have operated both the Dridex and Locky malware families, continues to make small changes to its operations. TA505 hacking group has been active since 2014 focusing on Retail and banking sectors.
On September 20, new phishing attacks involved thousands of emails, with English and French lures, attempting to deliver Microsoft Excel and .ISO attachments to targets in the United States and Canada.
The TA505 group started delivering SDBbot in early October, it used
“On October 7, instead of directly attached malicious Microsoft Excel files, Proofpoint researchers observed thousands of emails containing URL
The attackers switched from attachments to shortened URLs that point to a malicious Excel sheet, the attacks mainly targeted organizations in the United States.
Experts discovered that the Get2
The SDBbot RAT has three main components, an installer, a loader, and a backdoor component.
The installer is used to store the RAT in the registry and establish persistence for the loader, while if the bot is running with admin privileges on a Windows version newer than Windows 7, persistence is established using the registry “image file execution options” method. If the bot is running as admin on Windows XP or 7, persistence is established using application shimming
“All three of the persistence mechanisms require a reboot to take effect and there is no additional code to continue executing the loader and RAT components from the installer. Proofpoint researchers speculate that the reboot functionality in the Get2 downloader (described above) is used to continue SDBbot’s execution after installation in the TA505 campaigns.” continues the analysis.
The loader is used to execute the loader
The RAT component supports typical RAT functionalities, including command shell, video recording of the screen, remote desktop, port forwarding, and file system access.
“The new Get2
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.