The cybercriminal threat group TA505 is a key suspect in an ongoing phishing campaign that’s been attempting to infect victims with the FlawedAmmyy and Remote Manipulator (RMS) remote access trojans.

Dubbed Pied Piper, the campaign was observed targeting a supplier to several well-known food chains, including Godiva Chocolates, Yogurtland and Pinkberry, according to a Nov. 29 blog post from Michael Gorelik, CTO and vice president of research and development at Morphisec, whose researchers uncovered the threat. “We can only assume others could also be hit soon, if the C&C servers aren’t disabled,” Gorelik said in the report.

Known to specialize in banking malware and ransomware, TA505 has recently displayed a growing interest in RAT malware, as evidenced by a similar report this month from Proofpoint, which linked TA505 to a a newly discovered remote access trojan nicknamed tRAT.

Much like TA505’s tRAT campaign and other recent phishing campaigns featuring the Ammyy Admin RAT, the Pier Piper operation distributes Microsoft Office documents as attachments and attempts to trick victims into enabling malicious macros that execute the infection chain. In this case, the Microsoft Publisher (.pub) attachments were typically disguised as business invoices.

Once enabled, the macro installs a scheduled task that executes the next stage — a tactic designed to subvert AV protections. The task then executes a PowerShell command that downloads an MSI installer containing an downloader in the form of an executable file named MYEXE. This downloader searches infected machines for AV solutions, and then downloads the main payload as a temp file.

An investigation into the RATs’ signed certificates ultimately revealed that the same actor “has been pushing RMS RAT for more then a month and other remote access trojans for a couple of years,” Gorelik said in the post.

In the course of their analysis, Morphisec researchers also found traces of documents from a different attack from two weeks earlier that targeted users in Spain and other unnamed countries. In this attack, the images in the documents were specifically tailored to the target’s language.

According to Gorelik, FlawedAmmyy gives attackers “full access to the victim’s PC, allowing them to steal files, credentials, collect screengrabs and access the camera and microphone. Attackers can also move laterally through the network, serving as a potential entry point for a major supply chain attack.” 

In a Nov. 30 update, Morphisec referenced a second attack linked to the same actor and C&C server.