Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
07:50 AM
Larry Loeb
Larry Loeb
Larry Loeb

TA505 Invades the Middle East

The campaign, detected by Trend Micro, has been identified as coming from threat actor TA505.

New malware strains were found by Trend Microtargeting countries in the Middle East such as United Arab Emirates and Saudi Arabia, as well as other countries such as India, Japan, Argentina, the Philippines and South Korea. The campaign has been identified as coming from threat actor TA505.

TA505 achieved infamy with its use of the Dridex banking trojan as well as the Locky ransomware. It is known for targeting financial enterprises. Since last December, TA505 has been very active and has been using legitimate or compromised RATs (remote access trojans) such as FlawedAmmyy, FlawedGrace and Remote Manipulator System (RMS). In the blog Trend also analyzed a new malware tool named Gelup, which they saw the group use in one of its campaigns on June 20. Gelup abuses user account control (UAC) bypass and works as a loader for other threats.

Trend Micro also found that TA505 is using a new backdoor called FlowerPippi. Trend saw it in use during TA505's campaigns against targets in Japan, India, and Argentina.

The FlowerPippi backdoor collects and exfiltrates information from victim computers. It can also run arbitrary commands it receives from its command and control (C2) server.

TA505 targeted Middle Eastern countries in a June 11 campaign which delivered more than 90% of the total spam emails to the UAE, Saudi Arabia, and Morroco. The spam emails contained either an .html or .xls file attachment.

Details about the technical efforts of the new threats can be found in Trend Micro's technical brief on them. Other organizations have seen TA505's traces. Microsoft's Security Intelligence issued an alert roughly two weeks ago about an active spam campaign trying to infect Korean targets with a FlawedAmmyy RAT malware distributed via malicious XLS attachments.

The FlawedAmmyy is a remote access trojan payload and is known to be linked to TA505.

Proofpoint has assembled a timeline reflecting TA505's known activities. They have been active since 2014.

Trend Micro issued a report in June that discussed TA505's shifting tactics. Trend says that, "In April, TA505 targeted Latin American countries Chile and Mexico, and even Italy using either FlawedAmmyy RAT or RMS RAT as payload. By the end of April, we learned that the group started to go after targets in East Asian countries such as China, South Korea, and Taiwan using FlawedAmmyy RAT as its payload."

They have also used legitimate Windows OS processes in the performance of their criminal activities and to deliver a payload without being detected. The group notably abuses Excel 4.0 macros, which is a particularly old macro and is likely used just to evade typical macro detection.

TA505 is criminal and prolific in their attacks. Their signature is attachments to socially engineered email, so the prevention of their attacks comes down to "Don't click that unknown link."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-08-10
A path traversal vulnerability exists in the com.keysight.tentacle.licensing.LicenseManager.addLicenseFile() method in the Keysight Sensor Management Server (SMS). This allows an unauthenticated remote attacker to upload arbitrary files to the SMS host.
PUBLISHED: 2022-08-10
The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file (i.e., \\<at...
PUBLISHED: 2022-08-10
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution.
PUBLISHED: 2022-08-10
The AOD module has a vulnerability in permission assignment. Successful exploitation of this vulnerability may cause permission escalation and unauthorized access to files.
PUBLISHED: 2022-08-10
The Settings application has a vulnerability of bypassing the out-of-box experience (OOBE). Successful exploitation of this vulnerability may affect the availability.