The cybercriminal group TA505 has developed a new downloader tool and remote access trojan (RAT), both of which were observed in a sequence of phishing campaigns that began this past September.
The downloader, named Get2, has been used in campaigns to deliver a variety of secondary payloads, including the FlawedGrace and FlawedAmmyy RATs and Snatch ransomware. A fourth payload is new RAT dubbed SDBbot, whose command-based capabilities include remote desktop access; file system access; downloading, injecting and loading attacker-controller files, capturing video and screenshots; reading, writing and deleting files; and retrieving driver information and directory listings.
Researchers at Proofpoint discovered the new pair of malware programs, describing them and their associated campaigns in a company blog post today. Proofpoint has extensively tracked the TA505 group, which historically is best known for targeting victims with the Dridex banking trojan and Locky ransomware.
The first campaign, which commenced Sept. 9, focused on financial institutions in Greece, Singapore, United Arab Emirates, Georgia, Sweden, Lithuania and other countries. The attackers spammed their targets with tens of thousands of emails featuring malicious Excel attachments and lures written in English and Greek. This was followed by a Sept. 20 campaign that used English and French lures and Excel attachments to target companies in the U.S. and Canada.
A third campaign, launched on Oct. 7, limited its targeting to just U.S. companies, and relied solely on English language lures. Instead of using Excel files, the phishing emailed contained URL shortener links that redirected victims to a landing page with its own link to a malicious Excel sheet.
All three campaigns resulted in the execution of Get2, which is embedded into Excel files as an object, in the form of an image icon, before it is extracted by the malicious macro. According to Proofpoint, Get2 “collects basic system information and sends it via an HTTP POST request to a hardcoded command-and-control… server. The C&C response data is pipe-delimited and each section contains a payload URL and an optional argument delimited by a semicolon.”
The second campaign was confirmed to deliver FlawedGrace as the main payload, while the third was confirmed to deliver SDBbot as the main payload. SDBbot, like Get2, is written in C++ programming language. It consists of three components: an installer, a loader, and the RAT itself.
“With this recently observed… push by TA505 with attacks on a wide range of verticals and regions, the actor’s usual ‘follow the money’ behavioral pattern remains consistent,” Proofpoint concludes in its blog post. “TA505 continues to focus on targeting financial institutions alternating with more widely-targeted campaigns going after other verticals.”