Email phishing crapcannon operators TA505 are back from the dead, researchers warn

And they're packing a new dirty RAT as well


A prolific email phishing threat actor – TA505 – is back from the dead, according to enterprise security software slinger Proofpoint.

TA505, which was last active in 2020, restarted its mass emailing campaigns in September – armed with new malware loaders and a RAT.

"Many of the campaigns, especially the large volume ones, strongly resemble the historic TA505 activity from 2019 and 2020," said Proofpoint in a statement today. "The commonalities include similar domain naming conventions, email lures, Excel file lures, and the delivery of the FlawedGrace remote access trojan (RAT)."

FlawedGrace, according to the Fraunhofer Institute's Malpedia site, was initially developed in 2017. Its use is closely linked to TA505.

September's restart of TA505's operations, according to Proofpoint, were initially low key and featured "only several thousand messages per wave" mostly aimed at North American organisations. By October that had grown to five or six-figure waves of phishing emails, with target locations now including Germany and Austria.

Common phishing lures include insurance claims paperwork and emails claiming to have secure messages attached. Attachments in the phishing emails include Excel spreadsheets and HTML files linking to malware-laden Excel files.

Should someone open a tainted attachment or click a phishing link in a TA505 message, the malware downloads a Microsoft Installer package, which in turn executes a loader written in the KiXtart scripting language.

That loader pulls another MSI package from TA505's command-and-control servers, which in turn downloads and executes a copy of the MirrorBlast malware, Proofpoint said, which arrives as an Excel file containing a weaponised macro. Morphisec Labs noted that recently observed versions of MirrorBlast will only execute in 32-bit versions of Microsoft Office "due to compatibility reasons with ActiveX objects."

"This threat actor does not limit its target set, and is, in fact, an equal opportunist with the geographies and verticals it chooses to attack," concluded Proofpoint.

And in other internet criminal news, REvil's gone again

Ransomware gang REvil reportedly went offline earlier this week after one of its associates posted a message to a hacker forum claiming a mysteriously absent REvil member's keys had been used to reactivate C2 infrastructure the gang had previously pulled offline.

"The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would [sic] go there. I checked on others – this was not. Good luck everyone, I'm off," said the REvil member, in a screenshotted post shared on Twitter by Recorded Future researcher Dmitry Smilanets.

Ransomware gangs come and go depending on whether they think law enforcement agencies are closing in on their real-world identities, though individuals linked with them occasionally sate their appetites for ill-gotten gains and quietly move on.

Close media attention on ransomware gangs' actions could mean that REvil has shut up shop – or it could be another blip in their inglorious history, like the time they went dark after the Kaseya MSA breach. ®

Similar topics


Other stories you might like

  • Will this be one of the world's first RISC-V laptops?
    A sneak peek at a notebook that could be revealed this year

    Pic As Apple and Qualcomm push for more Arm adoption in the notebook space, we have come across a photo of what could become one of the world's first laptops to use the open-source RISC-V instruction set architecture.

    In an interview with The Register, Calista Redmond, CEO of RISC-V International, signaled we will see a RISC-V laptop revealed sometime this year as the ISA's governing body works to garner more financial and development support from large companies.

    It turns out Philipp Tomsich, chair of RISC-V International's software committee, dangled a photo of what could likely be the laptop in question earlier this month in front of RISC-V Week attendees in Paris.

    Continue reading
  • Did ID.me hoodwink Americans with IRS facial-recognition tech, senators ask
    Biz tells us: Won't someone please think of the ... fraud we've stopped

    Democrat senators want the FTC to investigate "evidence of deceptive statements" made by ID.me regarding the facial-recognition technology it controversially built for Uncle Sam.

    ID.me made headlines this year when the IRS said US taxpayers would have to enroll in the startup's facial-recognition system to access their tax records in the future. After a public backlash, the IRS reconsidered its plans, and said taxpayers could choose non-biometric methods to verify their identity with the agency online.

    Just before the IRS controversy, ID.me said it uses one-to-one face comparisons. "Our one-to-one face match is comparable to taking a selfie to unlock a smartphone. ID.me does not use one-to-many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users," it said in January.

    Continue reading
  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading

Biting the hand that feeds IT © 1998–2022