Delaware, USA – July 5, 2019 – For some, summer is the sea and the beach, and for TA505 this is the season of active spam campaigns and the use of new malware. In mid-June, countries in the Middle East were flooded by spam with malicious documents and archives spreading the FlawedAmmyy RAT. It is noteworthy that part of the emails was sent using the Amadeus botnet because the TA505 group is associated with the infamous Necurs. Then the attackers switched to the spread of the ServHelper backdoor: Trend Micro researchers registered campaigns targeted at banks in several Asian countries. From June 20, the group started to distribute new malware: FlowerPippi backdoor and Gelup downloader, these campaigns targeted Japan, the Philippines, and Argentina.
Gelup is installed into the system during multiple steps to complicate detection, and malware authors used several techniques to complicate its analysis. Gelup achieves persistence through scheduled tasks or adding registry entries. FlowerPippi backdoor is also used as a downloader, as it is primary functions are downloading and running next-stage payload. The malware collects user info and sends it to C&C server generating the victim ID, then waits for further instructions to download and run EXE file, download DLL and load it via LoadLibrary, run arbitrary command, or delete self.
FlowerPippi and Gelup analysis by Trend Micro: https://documents.trendmicro.com/
Rule digest for ‘Sheduled task’ technique detection: https://www.peerlyst.com/posts/rule-digest-for-scheduled-task-technique-t1053-soc-prime
Flawed Ammyy Malware Detector (Sysmon Behavior) (2019 Samples) by Lee Archinal: https://tdm.socprime.com/tdm/info/2262/
TA505 Activity Detected by Lee Archinal: https://tdm.socprime.com/tdm/info/2210/
Gelup Malware Detector (Sysmon Behavior) by Lee Archinal: https://tdm.socprime.com/tdm/info/2293/
Flowerpippi Malware Detector (Sysmon Behavior) by Lee Archinal: https://tdm.socprime.com/tdm/info/2292/