TA505 Invades the Middle East

  /     /     /  
Publicated : 23/11/2024   Category : security


TA505 Invades the Middle East


The campaign, detected by Trend Micro, has been identified as coming from threat actor TA505.



New malware strains
were found by Trend Micro
targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia, as well as other countries such as India, Japan, Argentina, the Philippines and South Korea. The campaign has been identified as coming from threat actor TA505.
TA505 achieved infamy with its use of the Dridex banking trojan as well as the Locky ransomware. It is known for targeting financial enterprises. Since last December, TA505 has been very active and has been using legitimate or compromised RATs (remote access trojans) such as FlawedAmmyy, FlawedGrace and Remote Manipulator System (RMS). In the blog Trend also analyzed a new malware tool named Gelup, which they saw the group use in one of its campaigns on June 20. Gelup abuses user account control (UAC) bypass and works as a loader for other threats.
Trend Micro also found that TA505 is using a new backdoor called FlowerPippi. Trend saw it in use during TA505s campaigns against targets in Japan, India, and Argentina.
The FlowerPippi backdoor collects and exfiltrates information from victim computers. It can also run arbitrary commands it receives from its command and control (C2) server.
TA505 targeted Middle Eastern countries in a June 11 campaign which delivered more than 90% of the total spam emails to the UAE, Saudi Arabia, and Morroco. The spam emails contained either an .html or .xls file attachment.
Details about the technical efforts of the new threats can be found in Trend Micros
technical brief
on them. Other organizations have seen TA505s traces. Microsofts Security Intelligence issued an alert roughly two weeks ago about an active spam campaign trying to infect Korean targets with a FlawedAmmyy RAT malware distributed via malicious XLS attachments.
The FlawedAmmyy is a remote access trojan payload and is known to be linked to TA505.
Proofpoint has
assembled a timeline
reflecting TA505s known activities. They have been active since 2014.
Trend Micro
issued a report
in June that discussed TA505s shifting tactics. Trend says that, In April, TA505 targeted Latin American countries Chile and Mexico, and even Italy using either FlawedAmmyy RAT or RMS RAT as payload. By the end of April, we learned that the group started to go after targets in East Asian countries such as China, South Korea, and Taiwan using FlawedAmmyy RAT as its payload.
They have also used legitimate Windows OS processes in the performance of their criminal activities and to deliver a payload without being detected. The group notably abuses Excel 4.0 macros, which is a particularly old macro and is likely used just to evade typical macro detection.
TA505 is criminal and prolific in their attacks. Their signature is attachments to socially engineered email, so the prevention of their attacks comes down to Dont click that unknown link.
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
TA505 Invades the Middle East