Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Russian TA505 threat actor target financial entities worldwide

Russian financially motivated threat actor TA505 used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide. Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the […]

TA505

Russian financially motivated threat actor TA505 used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide.

Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the United States and worldwide.

“CyberInt researchers have been tracking various activities following the spear-phishing campaign targeting large US-based retailers detected in December 2018.” reads the analysis published by Cyberint. “The research focused on scenarios with the same tactics, techniques and procedures (TTP) along with the repeated nefarious use of a ‘legitimate’ remote administration tool ‘Remote Manipulator System’ (RMS), developed by a Russianbased company ‘TektonIT’.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.

The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including 
the Dridex banking trojantRAT RAT, FlawedAmmy RAT, 
Philadelphia ransomware, GlobeImposter and Locky ransomware.

Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.

In recent attacks the experts observed the group using new backdoors, including the modular tRat and ServHelper.

In campaigns carried out between December 2018 and February 2019, the TA505 group leveraged the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, and retailers in the United States.

In December 2018 also targeted large US retailers and organizations in the food and beverage industry with spear-phishing attacks. The phishing messages used a weaponized Word document containing a Visual Basic for Applications (VBA) macr. The macro downloads a payload from the command and control (C&C) server, the last stage of the attack chain is the RMS RAT.

The investigation conducted by the researchers allowed them to uncover other campaigns conducted between December 2018 and March 2019.

Hackers hit targets in many countries worldwide, including Chile, India, Italy, Malawi, Pakistan and South Korea. Researchers believe that other attacks against targets in China, Great Britain, France and the United States could be attributed to the same threat actor.

The weaponized documents used in the attacks leverage Microsoft Windows Installer to fetch a payload from the C2 and execute it.

“This behaviour is consistent with other TA505 campaigns utilising a combination of weaponised Microsoft Office files containing either VBA macros or exploit code to spawn additional processes.” continues the analysis published by Cyberint. “Of the spreadsheet lures analysed in this campaign, four different C2 servers and payloads were identified, with each likely being unique to a specific target organization or victim cluster.”

Experts also observed the attackers using the ServHelper RAT since November 2018, it allows them to set up reverse SSH tunnels for remote access to the compromised machine via RDP.

TA505

The report states that indicators of compromise identified in the campaigns against the US retail campaign are consistent with an attack against the Notary Chamber of Ukraine conducted by the same threat actor in December 2018.

At the time, the threat actor was delivering the RMS Trojan in spear-phishing attack.

Further technical details on the attacks are included in the report published by Cyberint.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

[adrotate banner=”5″]

[adrotate banner=”13″]