The cybercriminal gang TA505 known as one of the most successful cybercriminal groups has launched a new campaign aimed at bank and financial services employees in the US, the United Arab Emirates and Singapore.

TA505 has been active since at least 2014 and over the years has become one of the most prolific cybercriminal groups, infecting victims around the world with remote access trojans (RATs), information stealers, banking trojans and ransomware, including Dridex and Locky malware.

In November 2018 the group began distributing a new backdoor called ServHelper, which came in two forms - one is focused on remote desktop functions and a second is primarily acting as a downloader. Much of TA505's success comes from the ability to constantly update its arsenal of payloads.

In its latest campaign in June 2019 TA505 has switched its tactics once again and introduced yet another new downloader malware, which researchers at Proofpoint referring to as AndroMut. The new downloader written in C++ and is described as having similarities in code and behaviour to a well-known Andromeda malware.

Currently the AndroMut is used as a downloader that drops on the compromised system another payload - FlawedAmmyy RAT that allows the attackers to remotely take complete control of the infected Windows machine, providing them with access to files, credentials and more – which in this instance, TA505 is using to infiltrate the networks of banks.

As the other TA505’s operations, the malware arrives on targeted computers via phishing emails that in this case ostensibly contain invoices and other documents related to banking and finance. If users open the Word document and enable macros the AndroMut is downloaded onto the computer and then the malware downloads the FlawedAmmyy RAT allowing the attackers fully compromise the target.

“TA505's move to primarily distributing RATs and downloaders in much more targeted campaigns than they previously employed with banking Trojans and ransomware suggests a fundamental shift in their tactics. Essentially the group is going after higher quality infections with the potential for longer-term monetization – quality over quantity,” said the researchers adding that commercial banking verticals in the United States, UAE, and Singapore appear to be the primary targets as part of TA505’s usual “follow the money” behavioral pattern.