4 July 2019

TA505 hacking crew sets its sights on financial organizations in Singapore, UAE and U.S.

TA505 hacking crew sets its sights on financial organizations in Singapore, UAE and U.S.

The cybercriminal gang TA505 known as one of the most successful cybercriminal groups has launched a new campaign aimed at bank and financial services employees in the US, the United Arab Emirates and Singapore.

TA505 has been active since at least 2014 and over the years has become one of the most prolific cybercriminal groups, infecting victims around the world with remote access trojans (RATs), information stealers, banking trojans and ransomware, including Dridex and Locky malware.

In November 2018 the group began distributing a new backdoor called ServHelper, which came in two forms - one is focused on remote desktop functions and a second is primarily acting as a downloader. Much of TA505's success comes from the ability to constantly update its arsenal of payloads.

In its latest campaign in June 2019 TA505 has switched its tactics once again and introduced yet another new downloader malware, which researchers at Proofpoint referring to as AndroMut. The new downloader written in C++ and is described as having similarities in code and behaviour to a well-known Andromeda malware.

Currently the AndroMut is used as a downloader that drops on the compromised system another payload - FlawedAmmyy RAT that allows the attackers to remotely take complete control of the infected Windows machine, providing them with access to files, credentials and more – which in this instance, TA505 is using to infiltrate the networks of banks.

As the other TA505’s operations, the malware arrives on targeted computers via phishing emails that in this case ostensibly contain invoices and other documents related to banking and finance. If users open the Word document and enable macros the AndroMut is downloaded onto the computer and then the malware downloads the FlawedAmmyy RAT allowing the attackers fully compromise the target.

“TA505's move to primarily distributing RATs and downloaders in much more targeted campaigns than they previously employed with banking Trojans and ransomware suggests a fundamental shift in their tactics. Essentially the group is going after higher quality infections with the potential for longer-term monetization – quality over quantity,” said the researchers adding that commercial banking verticals in the United States, UAE, and Singapore appear to be the primary targets as part of TA505’s usual “follow the money” behavioral pattern.

 

 

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019