Yesterday (Tuesday, 20th of October), security researchers at the Proofpoint firm uncovered a large-scale malicious email campaign performed by the notorious TA505 hacker group that distributes a variant of the FlawedGrace RAT (Remote Access Trojan). The campaign is said to be targeted at a wide range of businesses and organizations without being limited to any particular geographical region. Among the more notable targets of the campaign are Austria and Germany.
TA505 is a group of threat actors motivated by financial gain that has established itself over the years as one a trendsetter in the fields of cybercrime due to its constantly shifting tactics and malware campaigns of unprecedented scale. The group has been around since 2014, at the very least, and is responsible for the creation and use of infamous malware threats such as the Dridex banking Trojah, FlawedGrace, FlawedAmmyy, the Locky Ransomware, Neutrino botnet, and more.
The Morphisec cybersecurity firm is also keeping tabs on this latest TA505 malware campaign, dubbing it MirrorBlast.
The MirrorBlast/FlawedGrace campaign is said to have started as a smaller-scale distribution of infected emails (only a couple of thousands at a time) before increasing in volume towards the end of last month. At the time of writing, the malware campaign spreads tens of thousands of malicious emails with each of its phases.
According to researchers, this malware campaign is similar to the TA505 hacker group’s activity from 2019 and 2020, using the same or similar email and Excel file lures, and domain naming conventions, as well as delivering a version of the FlawedGrace RAT that is known to have been created by the TA505 group.
TA505 is known for having targeted over the years banks, energy companies, research organizations, government institutions, airlines, retailers, and a wide selection of other businesses and organizations, primarily focusing on maximized financial gain above anything else. In most cases, the attacks are initiated by the distribution of malware-infected emails (or other messages) that lure the targeted victim by using COVID-19 updates, Microsoft OneDrive notifications, or insurance claims as bait.
From its earlier stages as a smaller threat actor that primarily relied on third-party malware services, TA505 has, over the years, become a major and self-sustaining player in the cybercrime world, creating its own forms of malware.
This latest campaign, in particular, is heavily reliant on the targeted users enabling macros after opening the infected Excel attachments that are supposed to deploy the Remote Access Trojan. If the victim falls for the bait, an obfuscated MSI file gets downloaded onto the targeted system and fetches the loaders for the next stage of the infection. Those loaders, in turn, deliver the version of the FlawedGrace RAT that’s used for the main stage of the attack.
The FlawedGrace Remote Access Trojan has been around since at least November 2017, and it is a Trojan threat written in C++, capable of giving remote access to the cybercriminals who use it to the targeted machine. FlawedGrace is intentionally designed to prevent analysis of its code via reverse-engineering. The virus comes with a wide range of abilities that enable it to communicate with the command-and-control server of the hackers who are using it and, in turn, receive new instructions for its next actions.
An important aspect of this most recent attack is the shift in the tactics used by the TA505 hackers, who have retooled the malware loaders for FlawedGrace in less common programming languages, including KiXtart and Rebol, replacing the Get2 language that was being used before.
The researchers at Proofpoint further add that TA505’s constantly shifting TTPs (Tactics, Techniques, and Procedures) as well as its opportunistic approach motivated by financial gain above anything else make it a threat that would continue to plague the cyberworld, due to its continued evolution and unprecedented flexibility.