TA505 launches fresh attacks on financial organizations in Singapore, UAE and U.S.

The TrickBot update should cause alarm for the financial sector. (Getty Images)


Written by

A criminal hacking group linked with the distribution of the Locky ransomware appears to have new targets in its sights: financial institutions in Singapore, the United Arab Emirates and United States, as well as manufacturing and retail organizations in South Korea.

The TA505 group began the campaign last month through tens of thousands of malicious emails, according to researchers at cybersecurity company Proofpoint.

The new code is the latest innovation from the group, which is one of the more prolific and adept financially motivated cybercrime organizations. TA505 has reportedly distributed the Windows-based Locky ransomware through spam campaigns. Locky, which emerged in 2016, yielded more than $200 million in ransom payments at its height, according to one estimate.

This time, the group is deploying a new piece of malware to download an old remote access tool (RAT) that could have let it steal credentials from a target computer, Proofpoint said. The malware was downloaded in quarantined environments and not at customer sites, meaning there is no evidence that it compromised target networks, said Chris Dawson, threat intelligence lead at Proofpoint.

Trend Micro, another cybersecurity company, reported on TA505’s use of the remote access tool against South Korean targets last month.

TA505 has moved away from using ransomware as it has looked for other ways to infect targets and make money.

“Throughout 2018, Proofpoint researchers observed threat actors increasingly distributing downloaders, backdoors, information stealers, [RATs], and more as they abandoned ransomware as their primary payload,” Proofpoint’s Matthew Mesa and Dennis Schwarz wrote in a blog post Tuesday.

“Like many threat actors, [TA505] has moved to malware that can sit quietly on a victim’s computer for indeterminate amounts of time and then be used in a variety of strategic ways,” Dawson told CyberScoop.

In April, cybersecurity company Cybereason said it had blocked a TA505 attempt to breach a big financial institution. The attempted hack appeared carefully planned – the malware was signed mere hours before the attack.

While the hackers were thwarted that time, they have proven capable of adapting their methods to get around defenses.

“They tend to set trends across the malware landscape, so, at this point, it appears that they are adapting to changing conditions based on regional and vertical targeting, as well the types of malware they are distributing,” Dawson said.

-In this Story-

banking, cybercrime, financial, Locky, Proofpoint, security research, TA505