One of the most successful cybercriminal groups in the world altered its tactics, as well as spreading new forms of malware to bank and financial services employees in the United Arab Emirates and Singapore in its recent campaign.
TA505 was first created in 2014 and has grown into one of the world’s most productive cybercrime groups providing victims with RATs, information robbers and banking trojans.
Some of the most productive malicious cyber campaigns in recent years, such as Dridex bank trojan and Locky ransomware, are the group responsible. Much of TA505, combined with a continuous upgrade of the payloads, stems from the sheer volume of their attacks.
Now the cybercrime operation has once again shifted its tactics, introducing a different kind of malware into their campaigns from June to more targeted attacks.
The malware is used as a downloader by cyber safety researchers at Proofpoint and is described as having code and behavior similarities to Andromeda, which recently became one of the largest malware botnets worldwide.
A leaked version of the Andromeda code is possible for TA505, or the botnet authors could now offer their services to the group.
TA505, which uses the initial infection to drop a second hand charge on the affected computer, is currently using AndroMut as the first stage in a two-stage attack: a remote access Trojan FlawedAmmyy.
This virulent malware lets the assailant remotely control the infected Windows machine and provides access to files, credentials, and more–which is used, in this case, to infiltrate banks ‘ networks.
The malware is distributed in phishing e-mails, as with the other TA505 campaigns, claiming to have invoices and other documents related to banking and finance.
If the Word document is opened by users, social engineering will continue the attack. In one instance, the information is said to be’ protected’ and must be edited to see it.
This makes it possible for macros to deliver AndroMut to the machine that permits FlawedAmmyy to be downloaded and a potential total compromise to the target.
This enables cyber criminals to access data that can be used to make good use of large sums of money in the recent development of what was a longstanding success.
“TA505’s move to distribution of RATs and downloaders primarily in more specific campaigns than previously used with banking Trojans and ransomware indicates a significant shift in tackling them. The main objective of the group is to promote better-quality infections that are potentially monetized for the long term, quality over quantity.”
This latest shift seems to be only the latest TA505 model following market trends and the direction of money. It’s unlikely that this will change strategy permanently.
“The ultimate outcome or endgame is not clear,” Dawson said. “That is not clear. “TA505 follows money very closely, adapting to world trends and explore new geographies and payloads in the interests of maximizing their returns,” he added.
The researchers presented in their complete analysis of the campaign a complete list of TA505 Phishing Paper Compromise Indicators, Andromut and FlawdAmmy.
