A hacking group known as Evil Corp, aka TA505, has resumed its malicious activities and has adopted a new phishing tactic for delivering malware. The hacking group has been active since at least 2014 and primarily targets financial institutions and retailers. Large spam campaigns are conducted using the Necurs botnet.
Evil Corp was targeted by law enforcement in the United States in late 2019 with U.S. authorities offering up to $5 million for information that led to the arrest of the leader of the group, Maksim V. Yakubets, 32, of Russia. Evil Corp has previously conducted large-scale spamming campaigns spreading the Dridex banking Trojan, which harvests login credentials. Hundreds of different banks in more than 40 countries were targeted. The Dridex infections have resulted in losses of more than $1 million according to the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC). Sanctions were issued against Evil Corp in December 2019 and Evil Corp went silent shortly thereafter, but activity has now resumed.
Previously the group sent emails containing malicious attachments or URLs to deliver their malware payloads, but a recent campaign has seen a major change. Microsoft Excel spreadsheets are still used to drop the malicious payload, but the email campaigns use HTML redirectors that trigger the download of a malicious Excel file. The Excel file contains a macro that drops the malware payload. This is the first time the threat group has used HTML redirectors to deliver malware.
HTML redirectors allow the threat actors to bypass spam filtering solutions that block the malicious sites where malware is downloaded, redirecting victims to an alternate site that is not blocked. This tactic will no doubt be more effective than using URLs or attachments to deliver their malware, which are more likely to be detected by spam filtering solutions.
Users are told they must enable editing and then enable content in order to view the contents of the file. Doing so will result in the malware payload being delivered via the malicious macro. For the latest campaign, the malware being delivered is a remote access Trojan called Flawed Grace (Grace Wire).
The attackers use PowerSploit and Cobalt Strike to achieve privilege escalation and steal credentials. The attackers also move laterally via remote logon, according to Microsoft Security Intelligence.
The attackers are conducting campaigns using localized HTML files in multiple languages and are using a trackback service to identify the IP addresses that have downloaded the malicious excel file.
While Microsoft has tracked the campaign, it is unclear how the HTML redirectors are used, whether they are in URLs in the body of emails or embedded into attachments.