The cybercriminal group TA505 has reportedly changed up its tactics again, now engaging in phishing campaigns that leverage attachments with HTML redirectors in order to deliver Excel documents containing malware.

Following a short period of inactivity, the group, resumed activities last month with a scheme designed to get victims to install the information-stealing Trojan GraceWire, according to experts with the Microsoft Security Intelligence team. The threat actor is known for spreading Dridex, TrickBot and Locky malware, and is widely considered synonymous with the alleged Russian cybercriminal outfit Evil Corp.

Recipients of the phishing emails who opened the HTML redirector would end up downloading "Dudear" – an Excel file that drops the main payload (GraceWire) once the malicious macros was enabled. This is a new tactic for TA505, which previously would simply directly attach the malware to use a malicious URL, Microsoft explained in a series of tweets on Jan. 30. (Microsoft also refers to the entire TA505 operation as Dudear as well.)

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.