The cybercrime group, known by the name of TA505, recently resurfaced with updated features using HTML redirectors for delivering malicious Excel documents. By using distributing systems, such as Necurs botnet, the group have been widely recognised since 2014 for their malleable, adjustable and extensive ransomware, malware, trojans and spam operations. With the sole intention of acquiring money and capital, targets are predominantly in the financial and retail sectors.
The real issue is that TA505 uses localised HTML files in different languages. This means that targets are made worldwide, in any region, within any vertical. Such customisation has meant that attacks have been noted globally, with significant emphasis on Singapore, UAE and the US.
Due to the scale at which targets are made, the direct effect TA505 has had on promoting particular entities, including Globelmposter and other malware options such as FlawedAmmyy, has been significant. The group went quiet for a period, but now TA505 is back to circulating Remote Access Trojans (RATs), malware downloaders and ransomwares, onto their victim’s technology.
How does it work?
After opening a false attachment, the HTML downloads a malicious Excel file that drops the payload into the victim’s machine. Upon execution, the malware dumps the GraceWire Trojan into the infected device. Attackers also use an IP traceback service, allowing them to track the IP addresses of machines that download their malicious Excel file. This technique has not been adopted by such threat actors before.
For additional reading, see what Microsoft Security Intelligence stated about the threat, in a series of tweets, here.
Si Consult’s Recommendations
- Keep applications and operating systems running at the current released patch level.
- Update your anti-virus solutions with latest virus definitions.
- Check for the presence of pirated software’s, uninstall them and scan systems with the latest virus definitions.
- Avoid handling files from non-trusted sources.
For more information, support or advice about the threat, contact the team today.