Threat Management, Malware, Phishing

TA505 phishing campaign uses HTML redirectors to spread info stealer

The cybercriminal group TA505 has reportedly changed up its tactics again, now engaging in phishing campaigns that leverage attachments with HTML redirectors in order to deliver Excel documents containing malware.

Following a short period of inactivity, the group, resumed activities last month with a scheme designed to get victims to install the information-stealing Trojan GraceWire, according to experts with the Microsoft Security Intelligence team. The threat actor is known for spreading Dridex, TrickBot and Locky malware, and is widely considered synonymous with the alleged Russian cybercriminal outfit Evil Corp.

Recipients of the phishing emails who opened the HTML redirector would end up downloading "Dudear" – an Excel file that drops the main payload (GraceWire) once the malicious macros was enabled. This is a new tactic for TA505, which previously would simply directly attach the malware to use a malicious URL, Microsoft explained in a series of tweets on Jan. 30. (Microsoft also refers to the entire TA505 operation as Dudear as well.)

"This is the first time that Dudear is observed using HTML redirectors. The attackers use HTML files in different languages. Notably, they also use an IP traceback service to track the IP addresses of machines that download the malicious Excel file," one of the tweets stated.

Per BleepingComputer, Proofpoint researcher Kafeine said TA505 began implementing this new technique in mid-January.

In related news, on Jan. 30 researchers at Prevailion published a global snapshot of likely TA505 victims based on "Evidence of Compromise" data they collected between December 2019 and January 2020.

"Our telemetry shows targeting in six continents, spread across a multitude of different sectors and countries," said a Prevailion company blog post authored by researchers Danny Adamitis and Ian Winslow. "The most impacted geographic area, according to our telemetry, was Europe," with North America -- especially the U.S. – the next most affected region, the blog post continues.

Specific victims included at least one U.S. based electrical company, a U.S. state government network and one of the 25 largest banks in the world. Among industry verticals, educational institutions were most affected, but finance/insurance organizations were also strongly targeted, including what Prevailion described as "an unusually large concentration of malicious domains hitting" French financial companies.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.