In a campaign targeting German companies, the infamous Russia-linked threat actor known as TA505 has been using legitimate tools in addition to malware, Prevailion reports.
Also referred to as Evil Corp, TA505 is best known for the use of the Dridex Trojan and the Locky ransomware, but has been leveraging numerous other malware families, including BackNet, Cobalt Strike, ServHelper, Bart ransomware, FlawedAmmyy, SDBbot RAT, DoppelPaymer ransomware, and others.
TA505 was previously associated with the Necurs botnet that Microsoft dismantled last week. Necurs was dormant since March last year, and Prevailion pointed out that while Microsoft’s actions likely hampered the group’s operations, “criminal enterprises like these run multifaceted operations at any given time in order to continuously compromise victims across the globe.”
Earlier this year, Prevailion’s security researchers identified a TA505 campaign targeting German companies with fake job application emails, but the attacks appear to have started in June 2019, or even the month before. The emails carried a malicious attachment designed to steal secure credentials and credit card data.
While in 2019 the adversary used commercially available ransomware to encrypt victims’ files, more recent activity employed the commercial remote administration tool NetSupport, hosted on a user’s Google Drive account.
Through the use of legitimate tools that are unlikely to be removed by traditional security software, the attackers can perform a broad range of activities, such as stealing files, capturing screens, and even recording audio.
Analysis of the attacks revealed the use of a trojanized version of a curriculum vitae (CV) to target the human resources department at German-speaking businesses. The observed source email addresses were created through vodafonemail.de.
During the initial phase of the attack, code within the CV file runs a script to fetch additional payloads and fingerprint the victim machine (installed programs, computer name and domain, etc). Next, the script attempts to gather saved credentials from browsers and mail applications, cookies, and credit card data, and kills task hosts and DLL hosts processes.
Stolen credentials are archived and sent to the attackers’ command and control (C&C) server, and then a scheduled task is created to serve as a heartbeat beacon. A BAT file then deletes all traces of the intrusion.
The security researchers discovered that the June 2019 attacks also included a ransomware component and included GPG suite files. The drives on the local machines would be encrypted using a public GPG key, shadow copies on the system deleted, and some of the data would be sent to the email address zalock[@]airmail.cc.
Prevailion also discovered that a similar attack might have been carried out in May 2019 as well, only with some small differences in the type of files used and the email address to which victim data was sent. The activity appears to be aimed at Germany, but could be employed to target victims in any country, the researchers say.
The infrastructure in these attacks overlaps with that used in a set of attacks observed in February 2020, suggesting that the same threat actor is behind both.
The new attacks employ a loader apparently called rekt, which was designed to contact Google Drive to download additional files. The second-stage payload in these attacks was identified as the commercially available remote desktop software NetSupport.
The program provides attackers with the ability to remotely transfer files, geo-locate the infected machines, take screenshots, and capture audio. Since it’s delivered as a signed binary, the software is unlikely to be flagged by antivirus products.
Some of the identified variants of the rekt loader are dated April 2019, and the researchers also discovered samples signed with a digital signature used to sign two FlawwedAmmy Trojans as well, and previously associated with TA505, suggesting that the actor is behind the new attacks.
“[TA505] has achieved a high level of success due to their ability to abuse legitimate binaries for nefarious purposes. Two examples of this are the use of GPG tools to encrypt all the files on a machine; and employing a legitimate remote systems administration tool that already has all the functionality they need, while reducing the risk of being detected,” Prevailion concludes.
Related: Dridex Operators Continue to Target Financial Services, DHS Warns
Related: Dridex Operators Use SDBbot RAT in Recent Attacks