TA505 APT Group Returns With New Techniques: ReportGroup Using HTML Redirectors to Deliver Malware
After a hiatus, TA505 - a sophisticated advanced persistent threat group that has targeted financial companies and retailers in several countries, including the U.S. - has returned with a campaign that uses HTML redirectors to deliver malicious Excel documents, according to Microsoft and other security researchers.
This threat group is believed to have caused over $100 million in losses over the years, according to the U.S. Treasury Department, which published a report about the group in December when it issued sanctions against some of its members (see: Two Russians Indicted Over $100M Dridex Malware Thefts).
In a series of tweets, the Microsoft Security Intelligence team recently offered details about an ongoing TA505 phishing campaign. The new technique of using HTML redirectors in this latest campaign provides an additional obfuscation layer to the attack, according to Microsoft.
Dudear (aka TA505/SectorJ04/Evil Corp), used in some of the biggest malware campaigns today, is back in operations this month after a short hiatus. While we saw some changes in tactics, the revived Dudear still attempts to deploy the info-stealing Trojan GraceWire.— Microsoft Security Intelligence (@MsftSecIntel) January 30, 2020
TA505, which Microsoft refers also refers to as Dudear and Evil Corp, was first detected in 2014, according to a previous analysis. The group has targeted banks, financial institutions, retailers and other businesses in multiple countries, including the U.S., over the last six years.
The attack group, which is believed to be based in Russia, has been implicated in large-scale spam campaigns, and has distributed Trojans such as Dridex and The Trick as well as Locky and Jaff ransomware, according to Proofpoint, which published a detailed analysis of the group in 2017.
Over the years, TA505 has been known to deploy new techniques when it starts a new spam or phishing campaign. In April 2019, for instance, Cybereason published a report that found the group was using legitimately signed certificates to disguise malware that can penetrate banking networks (see: TA505 Group Hides Malware in Legitimate Certificates)
New Phishing Emails
In past attacks, TA5050 would deliver malware to a target's device using an attached document or a malicious link embedded in an email, according to the latest Microsoft report. But in its newest campaign, the HTML attachments automatically start downloading the malicious Excel file, which then drops a payload, according to the report.
"The new campaign uses HTML redirectors attached to emails," according to Microsoft. "When opened, the HTML leads to the download Dudear, a malicious macro-laden Excel file that drops the payload. In contrast, past Dudear email campaigns carried the malware as an attachment or used malicious URLs."
In its latest campaign, TA505 also uses HTML written in different languages, and the attackers deploy an IP trace-back service to track addresses of machines that download the malicious Excel file, according to Microsoft.
While the method of deploying the payload has changed, TA505 still attempts to deploy malware known as GraceWire, an info-stealing remote access Trojan or RAT, according to Microsoft.
The Reach of TA505
In the past, TA505 carried out attacks in North America, Asia, Africa and South America, targeting banks with backdoor malware to penetrate networks.
Security firm Prevailion has also published a new report that describes new activity associated with TA505. This report identifies more than 1,000 potential victims.
"During our analysis of this campaign, we were able to identify at least one U.S. based electrical company, a U.S. state government network, and one of the world's largest 25 banks exhibiting evidence of compromise," Prevailion report.
TA505 is using a number of commercially available remote access Trojans, including one called FlawedAmmyy, researchers at Prevailion say.
Last August, researchers from security firm Group-IB found that both TA5050 and another group called Silence have used FlawedAmmyy Trojan (see: 'Silence' Gang Ramps Up Bank Assaults).