Details have been released regarding the activities of the financially motivated threat group TA505, also known as Dudear, GOLD TAHOE, GRACEFUL SPIDER, and Sector J04, which were identified to be targeting multiple industries worldwide. These threat actors have been observed targeting industries such as Finance, Automotive, Healthcare, and Government, among others, across several countries since 2018, with identified victims located in the United States, Serbia, Italy, Japan, Taiwan, Germany, Turkey, Chile, South Korea, Singapore, Mexico, India, and among others.
Between 2014 and 2017, the threat actors were observed by the French Computer Emergency Response Team (CERT-FR) to have distributed phishing emails which contained malicious attachments and embedded malware such as the Dridex, Trickbot, and Locky malware variants. In 2018, the threat actors were observed to be almost exclusively using the Necurs botnet to distribute phishing emails that contained malicious attachments with embedded backdoors. Some of the identified phishing emails were also found to have been distributed through machines that were infected by Amadey malware.
In 2019 and 2020, TA505 was observed to have modified and stabilized their social engineering techniques. The threat actors were observed sending emails with an attached HTML page that contained malicious JavaScript code. The malicious code redirected the victims to a compromised website that mimicked legitimate website pages, such as OneDrive, Dropbox, or Naver, through a compromised machine controlled by the intrusion set. The victim is then enticed to download, open, and enable VBA macros for an Office document which contains a malicious payload that could compromise the victim’s machine.
According to the CERT-FR report, TA505 has a variety of malware that could be used during the initial stage of their attacks, such as Quant Loader, Marap, Amadey, and AndroMut. The group has also been identified using the Get2 malware variant; however, it appears that the Get2 malware was often used for stage one of the attack in order to perform reconnaissance on the infected machine and send the gathered information to the attacker-controlled server. Once the stage one attack is successful, the group uses botnets that were used to deploy variants of malware such as FlawedAmmyy, tRat, ServHelper, FlawedGrace, FlowerPippi, and SDBbot. Once the malware was installed, the threat actors would attempt to move laterally within the compromised network and elevate their privileges, with the end goal being the deployment of the Locky ransomware.
According to the report, there are similarities between the TA505 and the FIN7 threat groups. The two groups have commonalities such as IP addresses, the usage of the FlawedAmmyy, Cobalt Strike, and TinyMet malware variants, and use of the same methods to compromise the targeted system. Additionally, TA505 was linked to the other threat groups, such as Lazarus and Silence, in some operations that targeted the Financial Industry.
Nuspire recommends that organizations perform the following actions:
– Provide phishing and social engineering awareness training to all employees, especially in the context of macro-based office documents
– Deploy and monitor next-gen antivirus with heuristics and behavioral analysis to complement signatures
– Perform threat hunting using MITRE ATT&CK framework and malware campaign IOCs