TA505 targets Middle East and South East Asian countries with cyber attacks

TA505 is a group of cyber attackers that has targeted multiple financial institutions and retail companies through malicious spam campaigns and various malware. The group came into the limelight with infamous cyber-attacks including Locky ransomware and Dridex banking trojan attack. Other cyber-attacks associated with the TA505 group include Philadelphia as well as GlobeImposter ransomware families. The group has been found to target countries including India, Japan, the Philippines, South Korea as well as Argentina.

TA505 has been actively using legitimate or compromised remote access trojans such as FlawedAmmyy, Remote Manipulator System (RMS) and FlawedGrace. In its latest campaign, the group has started using HTML attachments for delivering malicious.XLS files that have led to downloader and backdoor FlawedAmmyy which prominently targets users within South Korea.

TA505 uses LOLbins and legitimate Windows OS processes for performing malicious activities and delivering payload without being detected. The group abuses Excel 4.0 macro for evading macro detection. This macro executes a command for downloading the first stage payload through msiexec.exe which is a Microsoft Installer tool that can download as well as run a Windows Installer file.

The first stage payload is an MSI Installer which was created using an EXE to MSI converter. However, the actual malicious payload is present in the MSI Installer package. This payload can vary with each campaign but, typically it uses the:

FlawedAmmyy downloader: The MSI Installer contains a FlawedAmmyy downloader which is always signed. The downloader will check whether the infected machine is running in the Active Directory network. Then it runs the “net group /domain” command and checks whether the “workgroup” is contained in the output result. After performing the check, it downloads RC4-encrypted FlawedAmmyy RAT, then decrypts and executes it as the final payload.

RMS RAT launcher or ServHelper

ServHelper is a backdoor that can also work as a downloader for FlawedGrace. In case the MSI Installer package contains ServHelper as payload, it will come with a Nullsoft Scriptable Install System (NSIS) installer which is a legitimate tool that manages installation for Window. TA505 abuses NSIS for installing ServHelper.

TA505 also uses RMS in their campaigns. If the MSI Installer package contains this RMS RAT as its payload it will include a self-extracting RAR. This SFXRAR extracts three files to %TEMP% , and executes one of the files where exit.exe is a launcher for i.cmd; i.cmd renames kernel.dll to uninstall.exe and then executes it with parameters. TA505 also uses FlowerPippi which is a new backdoor that was being used by the group in their campaigns against targets including India, Japan as well as Argentina.

How does the group deploy cyber-attacks?

TA505 has been using Word document, Excel file or .WIZ files as its attack entry point. The group has also started attaching an HTML link within the emails for tricking users to opening the Excel file. Opening this HTML link redirects the user to malicious URL that hosts malicious Excel file. This means that the group is trying to change entry point’s file type in order to bypass macro detection. The TA505 group attaches malicious file without compression.

Which countries have been affected by these campaigns?

The group has been launching cyber-attack campaigns that have targeted countries across Middle East and South East Asia including United Arab Emirates, Saudi Arabia, India, Japan, the Philippines, South Korea and even countries like Argentina.

Targeting Middle East

TA505 targeted Middle Eastern countries in a campaign that delivered more than 90% of the total spam emails to Saudi Arabia, the UAE and Morroco. The spam emails contained either an .html or .xls file attachment. In another campaign, the group delivered their malware using .doc files along with Excel and HTML files.

Targeting Indian banks

In June itself, the campaign’s spam emails delivered malware-embedded Excel files as an attachment directly. These emails used subject lines such as “Visa Canceled” and “Emirates NBD E-Statement” for manipulating the victims. This campaign used VBA macro for downloading ServHelper loader. The content of the email was in Arabic; however, these spam emails were delivered to Asian banks in countries such as India, the Philippines and Indonesia.

TA505 affects South Asian Countries

The malicious VBA macro downloads an apparently new malware called FlowerPippi and Gelup. The campaign targeted South Korea also used .xls and .doc attachments that were present in the email content. These URLs lead to the download of malicious .xls files or .doc files with the final payload still being the FlawedAmmyy RAT. This gave us the opportunity to observe TA505’s method of using URLs to deliver the entry point malware.

The spam campaigns highlight the importance of securing the online infrastructures, particularly the email gateways for organizations.

Adopt safety practices for messaging-related threats,

Enforce the principle of least privilege for mitigating further exposure,

Update systems for preventing attackers from leveraging security gaps,

Employees play a huge role in securing their organization against such threat actors with tools like TAB. The threat alert button empowers employees with the ability to use their conscience for identifying the nature of the email. In case, the employee finds the email malicious in nature, he can press the Threat Alert Button and report it to the security team.

We are cyber security solutions providing firm, helping a diverse range of industries globally to strengthen and secure the triad of People-Process-Technology.