TA505 Targets Financial and Retail Using ‘Undetectable’ Methods

A financially motivated gang is targeting retailers and financial institutions around the world using remote access software.

CyberInt’s Research Lab has found that TA505 is using tactics and an off-the-shelf commercial remote administration tool, developed by Russian-based company TektonIT. The group was behind attacks on the global financial industry between December 2018 and February 2019 and is using the same techniques, according to the company.

Proofpoint says that according to its actor profile, “TA505 is responsible for the largest malicious spam campaigns we have ever observed, distributing instances of the Dridex banking Trojan, Locky ransomware, Jaff ransomware, The Trick banking Trojan and several others in very high volumes.”

“Although they are using phishing and social engineering to get the software into the organisations, once its installed, it’s virtually undetectable by traditional threat protection systems because it’s legitimate software,” says Adi Peretz, senior strategic consultant and head of research at CyberInt. “They are still very much active and this is only the beginning of our deep-dive investigation.”

According to the report, TA505 tried its hand at payloads such as stealing back doors and remote access Trojans following the decline in the popularity of ransomware, likely due to mitigation tactics. However, the illegitimate software is throwing others off the scent and making the group undetectable.

“Tried and tested attack patterns appear to be consistent across these recently observed campaigns and commence with the delivery of phishing emails that have lure document attachments,” says the CyberInt report. “Utilising legitimate logos, language and terminology consistent with common business interactions or the target organization, the email encourages the potential victim to open the lure document attachment which in turn instructs them to disable security controls within Microsoft Office to allow a nefarious macro to be executed.”

The report goes on to say that if the macro, if executed, subsequently attempts to download “malicious payloads from the threat actor’s C2 infrastructure that in most cases also masquerades as, or mimics, legitimate-looking domains such as using names and misspellings related to ‘Cloud’, ‘Microsoft Office 365’ or ‘Security.'”