The cybercriminal group TA505 has reportedly changed up its tactics again, now engaging in phishing campaigns that leverage attachments with HTML redirectors in order to deliver Excel documents containing malware.

Following a short period of inactivity, the group, resumed activities last month with a scheme designed to get victims to install the information-stealing Trojan GraceWire, according to experts with the Microsoft Security Intelligence team. The threat actor is known for spreading Dridex, TrickBot and Locky malware, and is widely considered synonymous with the alleged Russian cybercriminal outfit Evil Corp.

Recipients of the phishing emails who opened the HTML redirector would end up downloading “Dudear” – an Excel file that drops the main payload (GraceWire) once the malicious macros was enabled. This is a new tactic for TA505, which previously would simply directly attach the malware to use a malicious URL, Microsoft explained in a series of tweets on Jan. 30. (Microsoft also refers to the entire TA505 operation as Dudear as well.)

“This is the first time that Dudear is observed using HTML redirectors. The attackers use HTML files in different languages. Notably, they also use an IP traceback service to track the IP addresses of machines that download the malicious Excel file,” one of the tweets stated.

Per BleepingComputer, Proofpoint researcher Kafeine said TA505 began implementing this new technique in mid-January.

In related news, on Jan. 30 researchers at Prevailion published a global snapshot of likely TA505 victims based on “Evidence of Compromise” data they collected between December 2019 and January 2020.

“Our telemetry shows targeting in six continents, spread across a multitude of different sectors and countries,” said a Prevailion company blog post authored by researchers Danny Adamitis and Ian Winslow. “The most impacted geographic area, according to our telemetry, was Europe,” with North America — especially the U.S. – the next most affected region, the blog post continues.

Specific victims included at least one U.S. based electrical company, a U.S. state government network and one of the 25 largest banks in the world. Among industry verticals, educational institutions were most affected, but finance/insurance organizations were also strongly targeted, including what Prevailion described as “an unusually large concentration of malicious domains hitting” French financial companies.