TA505 Group is Aiming at System Integrator Companies in Europe

Delaware, USA ā€“ November 13, 2019 ā€“ The infamous TA505 group, which is behind Dridex trojan and Globeimposter ransomware, is interested in System Integrator Companies. The threat was discovered and analyzed by Marco Ramilli, founder & CEO at Yoroi. After discovering one of the malicious emails, he tracked it to the validtree[.]com domain and determined that several companies received emails from this domain over the past few weeks, and the domain itself was renewed in mid-October. WhoisGuard hides the owner’s information, so it was not possible to connect it with past campaigns of cybercriminals, but the analysis of the malicious attachment revealed the necessary evidence.

The document contains two VBA macros, which decode and execute a Javascript dropper which downloads the final payload from attackers ā€™command-and-control server. Code analysis revealed that the TA505 group uses names of ancient gods as variable names. Recently, the group used the practice of giving meaningful names to functions and variables in other campaigns. It is possible that such malware analysis reports are taken less seriously by readers and thus TA505 plays with the cybersecurity community. A more powerful argument in favor of the fact that this is the TA505 campaign is the server used to download the final payload. Previously, the same server was used by the group to deliver Locky ransomware and Dridex trojan.

The researcher was unable to determine which malware was supposed to infect users as a result of this campaign. Ransomware attacks on large organizations in Europe have become more frequent, so it can be assumed that attackers are going to leverage the compromised System Integrator Companies to infect their customers with Globeimposter 2.0. Indicators of Compromise and YARA rule to detect dropper used in this campaign are available in the original research. You can learn more about the group and its tools in the MITRE ATT&CK section on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/