Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:50 AM
Larry Loeb
Larry Loeb
Larry Loeb

TA505 Invades the Middle East

The campaign, detected by Trend Micro, has been identified as coming from threat actor TA505.

New malware strains were found by Trend Microtargeting countries in the Middle East such as United Arab Emirates and Saudi Arabia, as well as other countries such as India, Japan, Argentina, the Philippines and South Korea. The campaign has been identified as coming from threat actor TA505.

TA505 achieved infamy with its use of the Dridex banking trojan as well as the Locky ransomware. It is known for targeting financial enterprises. Since last December, TA505 has been very active and has been using legitimate or compromised RATs (remote access trojans) such as FlawedAmmyy, FlawedGrace and Remote Manipulator System (RMS). In the blog Trend also analyzed a new malware tool named Gelup, which they saw the group use in one of its campaigns on June 20. Gelup abuses user account control (UAC) bypass and works as a loader for other threats.

Trend Micro also found that TA505 is using a new backdoor called FlowerPippi. Trend saw it in use during TA505's campaigns against targets in Japan, India, and Argentina.

The FlowerPippi backdoor collects and exfiltrates information from victim computers. It can also run arbitrary commands it receives from its command and control (C2) server.

TA505 targeted Middle Eastern countries in a June 11 campaign which delivered more than 90% of the total spam emails to the UAE, Saudi Arabia, and Morroco. The spam emails contained either an .html or .xls file attachment.

Details about the technical efforts of the new threats can be found in Trend Micro's technical brief on them. Other organizations have seen TA505's traces. Microsoft's Security Intelligence issued an alert roughly two weeks ago about an active spam campaign trying to infect Korean targets with a FlawedAmmyy RAT malware distributed via malicious XLS attachments.

The FlawedAmmyy is a remote access trojan payload and is known to be linked to TA505.

Proofpoint has assembled a timeline reflecting TA505's known activities. They have been active since 2014.

Trend Micro issued a report in June that discussed TA505's shifting tactics. Trend says that, "In April, TA505 targeted Latin American countries Chile and Mexico, and even Italy using either FlawedAmmyy RAT or RMS RAT as payload. By the end of April, we learned that the group started to go after targets in East Asian countries such as China, South Korea, and Taiwan using FlawedAmmyy RAT as its payload."

They have also used legitimate Windows OS processes in the performance of their criminal activities and to deliver a payload without being detected. The group notably abuses Excel 4.0 macros, which is a particularly old macro and is likely used just to evade typical macro detection.

TA505 is criminal and prolific in their attacks. Their signature is attachments to socially engineered email, so the prevention of their attacks comes down to "Don't click that unknown link."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-07-29
Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 e...
PUBLISHED: 2021-07-29
Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malic...
PUBLISHED: 2021-07-28
This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input.
PUBLISHED: 2021-07-28
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
PUBLISHED: 2021-07-28
This affects the package elFinder.AspNet before 1.1.1. The user-controlled file name is not properly sanitized before it is used to create a file system path.