TA505 uses legitimate tools to attack German firms

Prevailion warned that the Russian-speaking hacker group TA505 (aka Evil Corp) began to actively use legitimate tools (in addition to malvari) to attack German companies. Let me remind you that this grouping is primarily known for using the Dridex Trojan and Locky ransomware, but it also uses many other malicious programs, including BackNet, Cobalt Strike, ServHelper, Bart, FlawedAmmyy, SDBbot RAT, DoppelPaymer and so on.

Prevailion researchers have found that since the summer of 2019, the TA505 has been campaigning for German firms. Hackers send out letters with fake resumes to their targets for employment. These emails contain malicious attachments designed to steal credentials and credit card information.

But if in 2019 the attackers used an ransomware available on the market to encrypt the files of victims, in more recent operations they switched to the commercial tool for remote administration of NetSupport, hosted on Google Drive.

Experts warn that by using legitimate tools that are unlikely to be detected by traditional security solutions, attackers can perform a wide range of actions, including stealing files, taking screenshots, and recording sound.

So, at the initial stage of the attack, the code from the malicious resume launches a script to extract additional payloads and collect data about the victim’s computer (list of installed programs, computer name, domain, and so on). Then the malware tries to collect stored credentials from browsers and email clients, cookies and credit card information.

The stolen credentials are archived and sent to the control server of the attackers, and then a scheduled task is created, and the BAT file removes all traces of the attack.

Researchers note that in the summer of 2019, attacks also had a ransomware component: disks on local machines were encrypted using the GPG public key, shadow copies were deleted, and some data was redirected to zalock[@]airmail.cc.

For new attacks, the loader (apparently rekt) is used, which was developed to communicate with Google Drive and download additional files. The payload of the second stage of the attack was identified as a commercial NetSupport application for remote work.

Some of the rekt options discovered date back to April 2019. Researchers also identified samples signed with a digital signature, which was also used to sign two FlawwedAmmy Trojans. They were also previously associated with TA505, so researchers confidently state that it is the hack group named that is behind the detected attacks.