TA505 Invades the Middle East

The campaign, detected by Trend Micro, has been identified as coming from threat actor TA505.

New malware strains were found by Trend Microtargeting countries in the Middle East such as United Arab Emirates and Saudi Arabia, as well as other countries such as India, Japan, Argentina, the Philippines and South Korea. The campaign has been identified as coming from threat actor TA505.

TA505 achieved infamy with its use of the Dridex banking trojan as well as the Locky ransomware. It is known for targeting financial enterprises. Since last December, TA505 has been very active and has been using legitimate or compromised RATs (remote access trojans) such as FlawedAmmyy, FlawedGrace and Remote Manipulator System (RMS). In the blog Trend also analyzed a new malware tool named Gelup, which they saw the group use in one of its campaigns on June 20. Gelup abuses user account control (UAC) bypass and works as a loader for other threats.

Trend Micro also found that TA505 is using a new backdoor called FlowerPippi. Trend saw it in use during TA505's campaigns against targets in Japan, India, and Argentina.

The FlowerPippi backdoor collects and exfiltrates information from victim computers. It can also run arbitrary commands it receives from its command and control (C2) server.

TA505 targeted Middle Eastern countries in a June 11 campaign which delivered more than 90% of the total spam emails to the UAE, Saudi Arabia, and Morroco. The spam emails contained either an .html or .xls file attachment.

Details about the technical efforts of the new threats can be found in Trend Micro's technical brief on them. Other organizations have seen TA505's traces. Microsoft's Security Intelligence issued an alert roughly two weeks ago about an active spam campaign trying to infect Korean targets with a FlawedAmmyy RAT malware distributed via malicious XLS attachments.

The FlawedAmmyy is a remote access trojan payload and is known to be linked to TA505.

Proofpoint has assembled a timeline reflecting TA505's known activities. They have been active since 2014.

Trend Micro issued a report in June that discussed TA505's shifting tactics. Trend says that, "In April, TA505 targeted Latin American countries Chile and Mexico, and even Italy using either FlawedAmmyy RAT or RMS RAT as payload. By the end of April, we learned that the group started to go after targets in East Asian countries such as China, South Korea, and Taiwan using FlawedAmmyy RAT as its payload."

They have also used legitimate Windows OS processes in the performance of their criminal activities and to deliver a payload without being detected. The group notably abuses Excel 4.0 macros, which is a particularly old macro and is likely used just to evade typical macro detection.

TA505 is criminal and prolific in their attacks. Their signature is attachments to socially engineered email, so the prevention of their attacks comes down to "Don't click that unknown link."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Editors' Choice
Tara Seals, Managing Editor, News, Dark Reading
Jim Broome, President & CTO, DirectDefense
Nate Nelson, Contributing Writer, Dark Reading