by Hara Hiroaki and Loseway Lu (Threats Analysts)
TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware. We have been following TA505 closely and detected various related activities for the past two months. In the group’s latest campaign, they started using HTML attachments to deliver malicious .XLS files that lead to downloader and backdoor FlawedAmmyy, mostly to target users in South Korea.
Figure 1. TA505’s latest infection chain
This blog post covers three main points involving TA505: their recent activity in specific regions, shifting tactics and payloads, and suspicious activity possibly associated with the group. We also touch on the latest TA505 developments, including an email stealer, their use of legitimate software and MSI Installer, and more.
Recent activity in Latin America and East Asia
As previously mentioned, TA505, first named by Proofpoint, is known for targeting financial enterprises. Since last December, TA505 has been very active and has been using legitimate or compromised RATs (remote access trojans) such as FlawedAmmyy, FlawedGrace, and Remote Manipulator System (RMS< ..
Support the originator by clicking the read the rest link below.
