Delaware, USA – February 4, 2020 – Since mid-January, financially motivated cybercriminals from the TA505 group started using HTML attachments to infect victims with the FlawedGrace trojan. Microsoft reported that in this campaign TA505 first used this tactic. The campaign is still ongoing, and adversaries send phishing emails with HTML redirectors attached. When the victim opens the email, HTML attachment automatically starts downloading the malicious Excel document. The victim only has to open the document and enable editing, but the TA505 group knows very well how to convince the user to do this. After that Excel file drops the final payload – FlawedGrace trojan.
Attackers have been carrying out attacks since 2014 and are known for their massive spam campaigns using Necurs botnet to distribute Dridex banking trojan, as well as several ransomware families: Locky, BitPaymer, GlobeImposter. In an active campaign, adversaries use localized HTML files in different languages to infect victims worldwide. In addition, they utilize IP traceback service to track the IP addresses of systems that download weaponized Excel documents. TA505 is one of the most dangerous Russia-based hacking group, the U.S. Justice Department promises significant rewards for their “heads”, but the group continues their campaigns and learns new tricks. You can explore techniques used by this group in Threat Detection Marketplace and find rules for their detection: https://tdm.socprime.com/att-ck/