Delaware, USA – November 13, 2019 – The infamous TA505 group, which is behind Dridex trojan and Globeimposter ransomware, is interested in System Integrator Companies. The threat was discovered and analyzed by Marco Ramilli, founder & CEO at Yoroi. After discovering one of the malicious emails, he tracked it to the validtree[.]com domain and determined that several companies received emails from this domain over the past few weeks, and the domain itself was renewed in mid-October. WhoisGuard hides the owner’s information, so it was not possible to connect it with past campaigns of cybercriminals, but the analysis of the malicious attachment revealed the necessary evidence.
The researcher was unable to determine which malware was supposed to infect users as a result of this campaign. Ransomware attacks on large organizations in Europe have become more frequent, so it can be assumed that attackers are going to leverage the compromised System Integrator Companies to infect their customers with Globeimposter 2.0. Indicators of Compromise and YARA rule to detect dropper used in this campaign are available in the original research. You can learn more about the group and its tools in the MITRE ATT&CK section on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/