Several recent spam campaigns have been linked to the hacking group TA505. The campaigns distribute a malware downloader – AndroMut or Gelup – and the FlowerPippi backdoor.
Security researchers at Trend Micro and Proofpoint have detected campaigns attacking targets in Argentina, Japan, India, the Philippines, and the Middle East.
The malware downloader is installed via a malicious attachment sent in spam emails. TA505 attaches a Word document (.doc) or Excel spreadsheet (.xls) to emails with a Visual Basic macro that installs the downloader, which in turn downloads the backdoor.
While attachments are primarily used, one campaign was detected that included a hyperlink to a malicious URL that downloaded the FlawedAmmyy RAT.
The attackers gain persistence by adding a new entry to the registry to run the malware on boot if the user has sufficient permissions. If not, a task will be scheduled that launches a .LNK file in the Recycle Bin, which in turn will launch the malware on startup.
AndroMut or Gelup are the primary downloaders used in these attacks, but the backdoor can also download and execute malware binaries and DLL files. The primary purpose of the backdoor is to allow the attacker to gather information from the user’s computer, following which a decision can be taken on the next phase of the attack.
The malware samples distributed in these campaigns incorporates various measures to evade detection and make the infection process difficult to track. Measures have also been deployed to make it difficult for security researchers to analyze the malware.
TA505 conducts large-scale spam campaigns using the Necurs botnet and has been in operation for at least 5 years. The group has previously distributed a range of malware variants including remote access Trojans and ransomware, with most of the attacks on targets in retail and the financial sector.
By adopting cybersecurity best practices organizations can block these attacks. Consider implementing firewalls, a spam filter, intrusion detection system, data loss protection technologies, and use network segmentation, strong passwords, apply the rule of least privilege, and patch promptly.