RE: Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant


October 19, 2021 Zydeca Cass, Axel F, Crista Giering, Matthew Mesa, Georgi Mladenov, and Brandon Murphy

 Quote:

Key Takeaways

The prominent TA505 has returned to distributing large volumes of malicious emails affecting most industries.
New tools include a KiXtart Loader, the MirrorBlast loader, an updated FlawedGrace variant, and updated malicious Excel attachments.
One of the region-specific campaigns targeted German-speaking countries, notably Germany and Austria.
The campaigns share many similarities with TA505 campaigns from 2019 and 2020.

Overview

Since early September 2021, Proofpoint researchers are tracking renewed malware campaigns by the financially driven TA505. The campaigns, which are distributed across a wide range of industries, started with low volume email waves that ramped up in late September, resulting in tens to hundreds of thousands of emails.

Many of the campaigns, especially the large volume ones, strongly resemble the historic TA505 activity from 2019 and 2020. The commonalities include similar domain naming conventions, email lures, Excel file lures, and the delivery of the FlawedGrace remote access trojan (RAT). The campaigns also contain some noteworthy, new developments, such as retooled intermediate loader stages scripted in Rebol and KiXtart, which are used instead of the previously popular Get2 downloader. The new downloaders perform similar functionality of reconnaissance and pulling in the next stages. Lastly, there is an updated version of FlawedGrace.


Edited by DaveLipman (2021-10-27 11:39 PM)