skip to Main Content

Cybercrime, TA505 group is expanding its operations with legit RAT

TA505 cybercrime group is expanding its operations. Yoroi-Cybaze noticed a suspicious cyber attack against an italian organization with spear phishing email and a RMS client used as a RAT

TA505 cybercrime group is expanding its operations. It has been discovered by Yoroi-Zlab cyber security experts, which noticed a suspicious cyber attack against an italian organization. The vector was a spear phishing email, embedding a spreadsheet. The document is weaponized with malicious macro code triggered when the user opens the document to see the content under the obfuscated view. The source code is composed by more than 1600 lines and it is highly obfuscated. Only a small portion of it is actually used to start the infection, the rest is just junk. The malware, finally, is a RMS (Remote Manipulator System) client by TektonIT, encrypted using the MPress PE compressor utility, a legitimate tool, to avoid antivirus detection. It acts as a Remote Administration Tool (RAT), allowing the attacker to gain complete access to the victim machine.

The cyber security experts: The cybercrime group traditionally targets Banking and Retail industries, but in the last attack the target was not linked to these sectors

The cyber security experts, after the reconstruction of the full infection chain, noticed strong similarities with a recent spear-phishing attack campaign against an unspecified US retail company. The aggression, as stated by CyberInt, leveraged a command and control server located in Germany related to TA505, a very active cybercrime group involved in operations all around the world, threatening a wide range of high profile companies, active since 2014. Until now, it has traditionally targeted Banking and Retail industries – as Yoroi recently documented in the analysis of the “Stealthy Email Stealer” part of their arsenal -. But, the attack against the italian organization, not strictly linked to both sectors, suggests the threat group could be potentially widening their current operations.

Back To Top