Hacking group returns, switches attacks from ransomware to trojan malware

TA505 used to spam out ransomware - now it's returned with a focus on data-stealing remote access trojan malware attacks.

A prolific hacking group has returned with a new campaign which looks to deliver a new remote access trojan (RAT) to victims in order to create a backdoor into PCs to steal credentials and banking information.

The campaign is suspected to be the work of TA505, a well-resourced hacking group which has been active since at least 2014. The group has launched some of the largest cyber attack campaigns of recent years, with victims targeted with the Dridex banking trojan, Locky ransomware, Jaff ransomware and more.

Many of these campaigns have been launched with the aid of the Necurs botnet, one of the largest spam generators used by cyber criminals.

Now TA505 is running a new campaign, which has been detailed by researchers at security company Proofpoint. In line with a change of focus by other cyber criminal groups, TA505 has shifted away from ransomware and banking trojans and now appears to focus on RATs -- including one which has only recently appeared and had only been used twice before. In both previous cases, the attackers remain unidentified.

Dubbed tRat by researchers, the malware is predominantly targeting financial institutions and is being distributed with the aim of grabbing credentials, financial data, and other information that would be useful to cyber criminal operations. Researchers also warn that it could have other capabilities that haven't been put into operation yet.

The malware campaign was first detected in late September, with phishing emails offering its targets secure files that need to be opened. If the user opens the attachment, the Word document claims to be protected by security firm Symantec and asks the user to enable macros to see the supposed secure files.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

"It is increasingly common for threat actors to include security brands as part of their social engineering. Stating that a document is "protected" by a security vendor plays into their ability to trick recipients into enabling macros that ultimately install malware payloads," Chris Dawson, threat intelligence lead at Proofpoint told ZDNet.

An updated version of the campaign spotted in October is slightly more sophisticated, using a variety of subject lines relating to invoices, with a variety of different accounts sending messages claiming to be from equipment and logistics firms.

In these cases, a Word document asks users to 'enable content' to view what's in it -- if this is done, the trojan is installed, ready to steal data from the victim. The campaign isn't currently active but researchers believe the activity in October could be a dry run for a fully fledged campaign in the near future.

"This appears to be a test campaign with thousands of messages, primarily being sent to users at commercial banking institutions," said Dawson.

TA505's shift towards trojans seems to suggest a change in tactics for the group, which initially focused on short-term profit, but now appears to be playing a longer game.

"The group's continued testing and adoption of RATs and information stealers has reflected broader moves away from highly destructive malware like ransomware to stealthier, persistent malware that TA505 and other actors can monetize over the long term," said Dawson.

Proofpoint has provided information on Indicators of Compromise (IOCs) in their post about the malware.

READ MORE ON CYBER CRIME