One of the world's most successful cybercriminal groups has altered its tactics and is also distributing a new form of malware as part of its latest campaign, which this time targets bank and financial services employees in the US, the United Arab Emirates and Singapore.
TA505 first emerged in 2014 and has gone onto become one of the most prolific cybercriminal groups, delivering RATs, information stealers and banking trojans to victims around the world.
The group has been responsible for some of the most prolific and malicious cyber campaigns of recent years, including the Dridex banking trojan and Locky ransomware. Much of TA505's success comes from the sheer volume of of their attacks, combined with how the group is continually updating its payloads.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Now the cybercriminal operation has pivoted its tactics once more, introducing another form of malware to its campaigns as of June – as well as switching to more targeted attacks.
Detailed by cybersecurity researchers at Proofpoint, the AndroMut malware is being deployed as a downloader for other malicious payloads and is described as having similarities in code and behaviour to Andromeda, which as recently as 2017 was one of the largest malware botnets in the world.
It's possible TA505 is using a leaked version of the Andromeda code, or the authors of the botnet could now be providing the group with their services.
TA505 is currently using AndroMut as the first stage in a two-stage attack, which uses the initial infection to drop a second payload onto the compromised machine: the FlawedAmmyy remote access trojan.
This virulent malware allows the attacker to remotely take complete control of the infected Windows machine, providing them with access to files, credentials and more – which in this instance, TA505 is using to infiltrate the networks of banks.
Like other TA505 campaigns, the malware is distributed in phishing emails that claim to contain invoices and other documents purporting to be related to banking and finance.
If users open the Word document, social engineering is used to continue to the attack. In one example, they're told that the information is 'protected' and they need to enable editing to see its contents.
By doing this, they enable macros, allowing AndroMut to be delivered to the machine, which allows the download of FlawedAmmyy and the potential full compromise of the target.
It's this which allows the cybercriminals to access the data they can exploit to help make off with large amounts of money in the latest evolution of what's been a highly successful operation for many years.
"TA505's move to primarily distributing RATs and downloaders in much more targeted campaigns than they previously employed with banking Trojans and ransomware suggests a fundamental shift in their tactics. Essentially the group is going after higher quality infections with the potential for longer-term monetization – quality over quantity," Chris Dawson, threat intelligence lead at Proofpoint, told ZDNet.
This latest shift appears to be just the latest example of TA505 following market trends and going where the money is – so it's unlikely this marks a permanent change in strategy.
"What is not clear is the ultimate outcome or endgame of this shift," said Dawson. "TA505 very much follows the money, adapting to global trends and exploring new geographies and payloads to maximize their returns," he added.
Researchers have provided a list of Indicators of Compromise for TA505 phishing documents, Andromut and FlawdAmmy in their full analysis of the campaign.
MORE ON CYBERCRIME