#214027 - 2021-10-21 09:09 PM
Updated malware distribution channel using KiXtart
|
DaveLipman
Fresh Scripter
Registered: 2005-07-13
Posts: 33
Loc: NJ, USA
|
RE: Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant
October 19, 2021 Zydeca Cass, Axel F, Crista Giering, Matthew Mesa, Georgi Mladenov, and Brandon Murphy
Key Takeaways
The prominent TA505 has returned to distributing large volumes of malicious emails affecting most industries. New tools include a KiXtart Loader, the MirrorBlast loader, an updated FlawedGrace variant, and updated malicious Excel attachments. One of the region-specific campaigns targeted German-speaking countries, notably Germany and Austria. The campaigns share many similarities with TA505 campaigns from 2019 and 2020.
Overview
Since early September 2021, Proofpoint researchers are tracking renewed malware campaigns by the financially driven TA505. The campaigns, which are distributed across a wide range of industries, started with low volume email waves that ramped up in late September, resulting in tens to hundreds of thousands of emails.
Many of the campaigns, especially the large volume ones, strongly resemble the historic TA505 activity from 2019 and 2020. The commonalities include similar domain naming conventions, email lures, Excel file lures, and the delivery of the FlawedGrace remote access trojan (RAT). The campaigns also contain some noteworthy, new developments, such as retooled intermediate loader stages scripted in Rebol and KiXtart, which are used instead of the previously popular Get2 downloader. The new downloaders perform similar functionality of reconnaissance and pulling in the next stages. Lastly, there is an updated version of FlawedGrace.
Edited by DaveLipman (2021-10-27 11:39 PM)
|
Top
|
|
|
|
Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 557 anonymous users online.
|
|
|