TA505, is a financially motivated Russian threat group targeting retail industries and financial sectors around the world since 2014. They continuously update their tactics, techniques, and procedures (TTPs), to be varied from using malicious spam campaigns, malware, or HTML attachments.

TA505’s TTPs

From using banking Trojans like Shifu, Dridex, and Locky ransomware, the threat actors of TA505 have been observed switching to new backdoors in their attacks including tRat, which is modular in nature, and ServHelper. Also, TA505 was employing the Remote Manipulator System (RMS) backdoor to target financial institutions in Europe and APAC, LATAM.

Moreover, The following is a quick rundown of the group’s varying methods:

  1. Using Amadey to distribute EmailStealer: Used for stealing email accounts or SMTP credentials from infected PCs.
  2. Using VBA macro: Along with Excel 4.0 macros, VBA macros were used by TA505. Yet, they still hide the command and any malicious URLs in “UserForm” and not in VBA code.
  3. Avoiding the use of msiexec.exe: TA505 observed directly downloading the first stage payload binary and executing it, to avoid being detected by endpoint security solutions.
  4. Using HTML as an attack entry point: This is used by tricking users to click HTML link that hides a malicious URL that hosts the malicious Excel file.

How they operate:

Spear-phishing along with social engineering, are the main factors used in TA505 attacks to get the software into the organizations. The emails that attempted to trick users into opening a malicious Word document containing a Visual Basic for Applications (VBA) macro to download a payload from the command and control (C&C) server. At the final stage, the RMS RAT was installed on the victim’s machine. once it’s installed, it's virtually undetectable by traditional threat protection systems because it's legitimate software.

For further details, click the download button below!

DOWNLOAD ATTACHMENT