In a campaign targeting German companies, the infamous Russia-linked threat actor known as TA505 has been using legitimate tools in addition to malware, Prevailion reports.
Also referred to as Evil Corp, TA505 is best known for the use of the Dridex Trojan and the Locky ransomware, but has been leveraging numerous other malware families, including BackNet, Cobalt Strike, ServHelper, Bart ransomware, FlawedAmmyy, SDBbot RAT, DoppelPaymer ransomware, and others.
TA505 was previously associated with the Necurs botnet that Microsoft dismantled last week. Necurs was dormant since March last year, and Prevailion pointed out that while Microsoft’s actions likely hampered the group’s operations, “criminal enterprises like these run multifaceted operations at any given time in order to continuously compromise victims across the globe.”
Earlier this year, Prevailion’s security researchers identified a TA505 campaign targeting German companies with fake job application emails, but the attacks appear to have started in June 2019, or even the month before. The emails carried a malicious attachment designed to steal secure credentials and credit card data.
While in 2019 the adversary used commercially available ransomware to encrypt victims’ files, more recent activity employed the commerci ..
Support the originator by clicking the read the rest link below.
