CyberInt Reports: TA505 Threat Actors Strike Again with New Malware
May 2019 by CyberInt
Investigators from CyberInt Research have discovered further activities by the suspected Russian-speaking cybergang TA505. The group has been detected targeting financial institutions in Chile with slightly modified modus operandi following CyberInt’s public exposure of its tactics, techniques and procedures (TTPs).
CyberInt’s Managed Targeted Detection and Mitigation platform detects threats across the digital and organizational environments, integrating internal and external threats to reveal unknown threats and incidents. It’s based on a modular automated platform that prioritizes integrated insights across organizational and digital environments, managed holistically by intelligence analysts to enable immediate and effective response.
TA505 is continuing its unauthorized and nefarious use of the same TTPs of legit software, this time leveraging MSI Installer to deploy the AMADAY malware family.
The AMADAY implant allows TA505 to steal financial institutions’ and retailers’ clients’ email correspondence and sensitive information from their victims. This further enables the threat actors to steal contact lists, allowing them to target additional organizations by sending seemingly legitimate malicious emails that appear to come from trusted sources.
TA505, which appears to be financially motivated, has been active since 2014, with high-volume malicious email campaigns distributing the “Dridex” and “Shifu” banking trojans as well as the Neutrino botnet/exploit kit and Locky ransomware. They appeared again as the source for recent attacks against the global financial and retail industry from December 2018 to present, with attacks worldwide, including India, Italy, Malawi, Pakistan, South Korea, and the United States.
“TA505 is highly motivated, very clever, and persistent,” says Adi Peretz, Head of Research at CyberInt. “It’s critical to monitor their activities to anticipate further attacks. Once the pattern of attacks in Chile were identified, other financial institutions can beef up their security, so they don’t end up being breached.”
“Social engineering works because it recruits the weakest link in any cybersecurity operation – we humans,” continues Mr. Peretz. “The more prepared companies are, the better they can train their people to maintain security.”
CyberInt previously released a comprehensive report about TA505 activities and modus operandi.