TA505 launches fresh attacks on financial organizations in Singapore, UAE and U.S.

Far from a one-trick pony, TA505’s recent documented activity hasn’t involved ransomware as the group has looked for other ways to make money.
code, flaw, bug, vulnerability, bug bounty, trickbot
The TrickBot update should cause alarm for the financial sector. (Getty Images)

A criminal hacking group linked with the distribution of the Locky ransomware appears to have new targets in its sights: financial institutions in Singapore, the United Arab Emirates and United States, as well as manufacturing and retail organizations in South Korea.

The TA505 group began the campaign last month through tens of thousands of malicious emails, according to researchers at cybersecurity company Proofpoint.

The new code is the latest innovation from the group, which is one of the more prolific and adept financially motivated cybercrime organizations. TA505 has reportedly distributed the Windows-based Locky ransomware through spam campaigns. Locky, which emerged in 2016, yielded more than $200 million in ransom payments at its height, according to one estimate.

This time, the group is deploying a new piece of malware to download an old remote access tool (RAT) that could have let it steal credentials from a target computer, Proofpoint said. The malware was downloaded in quarantined environments and not at customer sites, meaning there is no evidence that it compromised target networks, said Chris Dawson, threat intelligence lead at Proofpoint.


Trend Micro, another cybersecurity company, reported on TA505’s use of the remote access tool against South Korean targets last month.

TA505 has moved away from using ransomware as it has looked for other ways to infect targets and make money.

“Throughout 2018, Proofpoint researchers observed threat actors increasingly distributing downloaders, backdoors, information stealers, [RATs], and more as they abandoned ransomware as their primary payload,” Proofpoint’s Matthew Mesa and Dennis Schwarz wrote in a blog post Tuesday.

“Like many threat actors, [TA505] has moved to malware that can sit quietly on a victim’s computer for indeterminate amounts of time and then be used in a variety of strategic ways,” Dawson told CyberScoop.

In April, cybersecurity company Cybereason said it had blocked a TA505 attempt to breach a big financial institution. The attempted hack appeared carefully planned – the malware was signed mere hours before the attack.


While the hackers were thwarted that time, they have proven capable of adapting their methods to get around defenses.

“They tend to set trends across the malware landscape, so, at this point, it appears that they are adapting to changing conditions based on regional and vertical targeting, as well the types of malware they are distributing,” Dawson said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts