skip to Main Content

TA505 cybercrime gang launched new campaigns with Gelup-FlowerPippi malware

Trend Micro: TA505 cybercrime gang launched new campaigns with Gelup-FlowerPippi malware

TA505 cybercrime gang has launched new campaigns on different countries with malware Gelup and FlowerPippi. It has been discovered by Trend Micro cyber security experts. The targets are many countries in Middle East, Asia and worldwide. The first malicious code abuses user account control (UAC) bypass and works as a loader for other threats. The tool also uses the packer of FlawedAmmyy, a remote access trojan, from previous campaigns. The second, FlowerPippi (Backdoor.Win32.FLOWERPIPPI.A), is a new backdoor that was used in campaigns against targets in Japan, India, and Argentina. TA505 targeted Middle Eastern countries in a June 11 campaign that delivered more than 90% of the total spam emails to the UAE, Saudi Arabia, and Morocco. They contained either an .html or .xls file attachment. 

The cyber security experts, Gelup could be the AndroMut malware discovered by Proofpoint

The cyber security experts – in the campaign that targeted Japan, Philippines, and Argentina on June 20 – found what seems to be a new, undisclosed malware, which they named Gelup. The researchers found that Proofpoint reported it as AndroMut as well. A custom packer was used to pack some variants of the malicious code — the same one that TA505 had been using. The unpacked payload is written in C++ and basically works as a downloader for another malware. What makes Gelup different, however, is its obfuscation technique and UAC-bypassing function by mocking trusted directories (spoofing the file’s execution path in a trusted directory), abusing auto-elevated executables, and using the dynamic-link library (DLL) side-loading technique. Gelup supports techniques that can deter static and dynamic analyses, and has multilayered steps for installing itself into the system.

Back To Top