Malware belonging to Russian-speaking threat actors was used in attacks at the end of January against at least two European pharmaceutical and manufacturing firms.
Based on the devices used in the assaults, the perpetrators are suspected to be financially driven gangs of Silence and TA505.
Although the background of TA505 attacks involves objectives in the medical field, if security analysts are right, such events will represent Silence’s deviation from its usual goals, which are banks and financial organizations.
The first malware samples used in such attacks emerged on the VirusTotal scanning site on February 2, known as Silence. ProxyBot and modified versions of Silence. MainModule.
Both samples are related to Silence, a faction that started attacking banks in the former Soviet Union territories in 2016, later extending its assault area internationally. The actions of this threat actor have been identified in Group-IB, a Singapore-based cybersecurity firm.
Looking at the malware samples, Group-IB researchers found at least two victims in Belgium and Germany, each getting the details required to avoid the attackers ‘ development.
The research showed two IP addresses used by command and control operations. Another comes from the Czech Republic (195.123.246[.]126-which has been involved since late January) and the other from Denmark (37.120.145[.]253); each has a background of suspicious traces, classified as safe by numerous intelligence agencies.
Checking the cyber-criminal network found that the intruder used two vulnerabilities (CVE-2019-1405 and CVE-2019-1322) in Windows 10 and lower that enabled local privileges to escalate. The hack was contained in an executable named’ comahawk.exe.’ The TA505 link to the attacks was apparent when researchers found the TinyMet Meterpreter stager, which had been affiliated with this adversary in the past and packed with the group’s custom packer.
There is no new connection between Silence and TA505. Group-IB stated in 2019 that the two participants were likely to use software (Silence. Downloader and FlawedAmmyy. Downloader) created by the same person.
In fact, the company’s incident management department found towards the end of 2019 that Silence had infiltrated towards at least one bank in Europe with the aid of TA505, which had links to the goal network.
Changing from banks and financial corporations to pharmaceutical and industrial firms is an unusual step for the Silence group, which specializes in splitting banks and financial organizations.
As this level, it is unclear whether the attackers managed to hack the new objectives and the harm was done, as the researchers identified techniques used for lateral movement.
Rustam Mirkasymov, leader of the Group-IB Dynamic Malware Analysis Unit, says the purpose of the assault could have been either ransomware intrusion or a dynamic supply chain threat.
When ransomware was the final stop, TA505 is reported to have introduced at least three strains in the past-Locky, Rapid, and Clop. However, in these recent situations, the final payload could not be identified since the attack was halted at the intermediate stage, Mirkasymov told BleepingComputer.
The specialist assesses with the modest conviction that Secrecy is behind these actions, but it does not preclude the risk that the resources of the community have been offered to another danger agent or stolen from TA505.
“Slight modifications of Silence.ProxyBot and Silence.MainModule can be explained by the gang’s attempts to avoid detection as a result of being in the spotlight of security researchers for some time now” – Rustam Mirkasymov
