Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:50 AM
Larry Loeb
Larry Loeb
Larry Loeb

TA505 Invades the Middle East

The campaign, detected by Trend Micro, has been identified as coming from threat actor TA505.

New malware strains were found by Trend Microtargeting countries in the Middle East such as United Arab Emirates and Saudi Arabia, as well as other countries such as India, Japan, Argentina, the Philippines and South Korea. The campaign has been identified as coming from threat actor TA505.

TA505 achieved infamy with its use of the Dridex banking trojan as well as the Locky ransomware. It is known for targeting financial enterprises. Since last December, TA505 has been very active and has been using legitimate or compromised RATs (remote access trojans) such as FlawedAmmyy, FlawedGrace and Remote Manipulator System (RMS). In the blog Trend also analyzed a new malware tool named Gelup, which they saw the group use in one of its campaigns on June 20. Gelup abuses user account control (UAC) bypass and works as a loader for other threats.

Trend Micro also found that TA505 is using a new backdoor called FlowerPippi. Trend saw it in use during TA505's campaigns against targets in Japan, India, and Argentina.

The FlowerPippi backdoor collects and exfiltrates information from victim computers. It can also run arbitrary commands it receives from its command and control (C2) server.

TA505 targeted Middle Eastern countries in a June 11 campaign which delivered more than 90% of the total spam emails to the UAE, Saudi Arabia, and Morroco. The spam emails contained either an .html or .xls file attachment.

Details about the technical efforts of the new threats can be found in Trend Micro's technical brief on them. Other organizations have seen TA505's traces. Microsoft's Security Intelligence issued an alert roughly two weeks ago about an active spam campaign trying to infect Korean targets with a FlawedAmmyy RAT malware distributed via malicious XLS attachments.

The FlawedAmmyy is a remote access trojan payload and is known to be linked to TA505.

Proofpoint has assembled a timeline reflecting TA505's known activities. They have been active since 2014.

Trend Micro issued a report in June that discussed TA505's shifting tactics. Trend says that, "In April, TA505 targeted Latin American countries Chile and Mexico, and even Italy using either FlawedAmmyy RAT or RMS RAT as payload. By the end of April, we learned that the group started to go after targets in East Asian countries such as China, South Korea, and Taiwan using FlawedAmmyy RAT as its payload."

They have also used legitimate Windows OS processes in the performance of their criminal activities and to deliver a payload without being detected. The group notably abuses Excel 4.0 macros, which is a particularly old macro and is likely used just to evade typical macro detection.

TA505 is criminal and prolific in their attacks. Their signature is attachments to socially engineered email, so the prevention of their attacks comes down to "Don't click that unknown link."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/1/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
The Threat from the Internet--and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-01
The Journal theme before 3.1.0 for OpenCart allows exposure of sensitive data via SQL errors.
PUBLISHED: 2020-07-01
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
PUBLISHED: 2020-07-01
In nDPI through 3.2, the packet parsing code is vulnerable to a heap-based buffer over-read in ndpi_parse_packet_line_info in lib/ndpi_main.c.
PUBLISHED: 2020-07-01
In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short.
PUBLISHED: 2020-07-01
In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c.