Russian financially motivated threat actor TA505 used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide.

Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the United States and worldwide.

“CyberInt researchers have been tracking various activities following the spear-phishing campaign targeting large US-based retailers detected in December 2018.” reads the analysis published by Cyberint. “The research focused on scenarios with the same tactics, techniques and procedures (TTP) along with the repeated nefarious use of a ‘legitimate’ remote administration tool ‘Remote Manipulator System’ (RMS), developed by a Russianbased company ‘TektonIT’.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.

The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including

the Dridex banking trojan, tRAT RAT, FlawedAmmy RAT,

Philadelphia ransomware, GlobeImposter and Locky ransomware.

Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.

In recent attacks the experts observed the group using new backdoors, including the modular tRat and ServHelper.

In campaigns carried out between December 2018 and February 2019, the TA505 group leveraged the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, and retailers in the United States.

In December 2018 also targeted large US retailers and organizations in the food and beverage industry with spear-phishing attacks. The phishing messages used a weaponized Word document containing a Visual Basic for Applications (VBA) macr . The macro downloads a payload from the command and control (C&C) server, the last stage of the attack chain is the RMS RAT.

The investigation conducted by the researchers allowed them to uncover other campaigns conducted between December 2018 and March 2019.

Hackers hit targets in many countries worldwide, including Chile, India, Italy, Malawi, Pakistan and South Korea. Researchers believe that other attacks against targets in China, Great Britain, France and the United States could be attributed to the same threat actor.

The weaponized documents used in the attacks leverage Microsoft Windows Installer to fetch a payload from the C2 and execute it.

“This behaviour is consistent with other TA505 campaigns utilising a combination of weaponised Microsoft Office files containing either VBA macros or exploit code to spawn additional processes.” continues the analysis published by Cyberint. “Of the spreadsheet lures analysed in this campaign, four different C2 servers and payloads were identified, with each likely being unique to a specific target organization or victim cluster.”

Experts also observed the attackers using the ServHelper RAT since November 2018, it allows them to set up reverse SSH tunnels for remote access to the compromised machine via RDP.

The report states that indicators of compromise identified in the campaigns against the US retail campaign are consistent with an attack against the Notary Chamber of Ukraine conducted by the same threat actor in December 2018.

At the time, the threat actor was delivering the RMS Trojan in spear-phishing attack.

Further technical details on the attacks are included in the report published by Cyberint.

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)