A prolific email phishing threat actor – TA505 – is back from the dead, according to enterprise security software slinger Proofpoint.
TA505, which was last active in 2020, restarted its mass emailing campaigns in September – armed with new malware loaders and a RAT.
"Many of the campaigns, especially the large volume ones, strongly resemble the historic TA505 activity from 2019 and 2020," said Proofpoint in a statement today. "The commonalities include similar domain naming conventions, email lures, Excel file lures, and the delivery of the FlawedGrace remote access trojan (RAT)."
FlawedGrace, according to the Fraunhofer Institute's Malpedia site, was initially developed in 2017. Its use is closely linked to TA505.
September's restart of TA505's operations, according to Proofpoint, were initially low key and featured "only several thousand messages per wave" mostly aimed at North American organisations. By October that had grown to five or six-figure waves of phishing emails, with target locations now including Germany and Austria.
Common phishing lures include insurance claims paperwork and emails claiming to have secure messages attached. Attachments in the phishing emails include Excel spreadsheets and HTML files linking to malware-laden Excel files.
Should someone open a tainted attachment or click a phishing link in a TA505 message, the malware downloads a Microsoft Installer package, which in turn executes a loader written in the KiXtart scripting language.
That loader pulls another MSI package from TA505's command-and-control servers, which in turn downloads and executes a copy of the MirrorBlast malware, Proofpoint said, which arrives as an Excel file containing a weaponised macro. Morphisec Labs noted that recently observed versions of MirrorBlast will only execute in 32-bit versions of Microsoft Office "due to compatibility reasons with ActiveX objects."
"This threat actor does not limit its target set, and is, in fact, an equal opportunist with the geographies and verticals it chooses to attack," concluded Proofpoint.
And in other internet criminal news, REvil's gone again
Ransomware gang REvil reportedly went offline earlier this week after one of its associates posted a message to a hacker forum claiming a mysteriously absent REvil member's keys had been used to reactivate C2 infrastructure the gang had previously pulled offline.
- Microsoft called out as big malware hoster – thanks to OneDrive and Office 365 abuse
- NFTs not annoying enough? Now they come with wallet-emptying malware
- Google's VirusTotal reports that 95% of ransomware spotted targets Windows
- Russia-based criminals are still the UK's number 1 cyber-foe, NSO Group's wares a 'red flag' says NCSC chief
"The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would [sic] go there. I checked on others – this was not. Good luck everyone, I'm off," said the REvil member, in a screenshotted post shared on Twitter by Recorded Future researcher Dmitry Smilanets.
Ransomware gangs come and go depending on whether they think law enforcement agencies are closing in on their real-world identities, though individuals linked with them occasionally sate their appetites for ill-gotten gains and quietly move on.
Close media attention on ransomware gangs' actions could mean that REvil has shut up shop – or it could be another blip in their inglorious history, like the time they went dark after the Kaseya MSA breach. ®