Spear-Phishing Emails Appeared to Originate With HR Departments
The prolific TA505 cybercrime group targeted corporate networks across Europe using spear-phishing emails to spread the SDBbot remote access Trojan, according to IBM X-Force researchers.
See Also: Beware the Other Virus
The campaign, which was active for three weeks in November 2019, used spear-phishing emails that were designed to look like they originated from the targeted companies’ HR departments and used Onehub, a legitimate, cloud-based file-sharing application for businesses, the IBM researchers note in a new report.
These spear-phishing messages were used to spread SDBbot, a remote access Trojan, or RAT, that accepts instructions from a command-and-control server and has the ability to exfiltrate data from the infected devices and networks, according to the IBM report.
TA505 has used the SDBbot RAT since September 2019. In the latest campaign, spear-phishing emails sent to victims contained an attached Word document simply called “Resume.doc.” If opened, malicious macros would eventually install the SDBbot RAT on the infected device, the report notes.
The report did not indicate how successful this particular campaign was or which European countries it affected.
“TA505 targets a wide range of industries including finance, retail, healthcare, manufacturing, restaurants, etc,” Melissa Frydrych, a researcher with IBM X-Force Incident Response and Intelligence Services, tells Information Security Media Group. “While we can’t say for certain how successful they are, this group is known to conduct large phishing campaigns, and they are constantly exploring new attack vectors and changing infrastructure and malware in an effort to avoid detection and carry out successful attacks.”
If a spear-phishing victim opened the attached malicious Word document, the macros would first install malware that would start stealing the user’s credentials and passwords, according to the report. In addition, the malware installed dynamic-link libraries, which also allowed the attackers to escalate their privileges within an infected device. The malware also gave attackers the ability to move laterally through the network.
The IBM researchers also found that the malicious resume document contained code that would enable the TA505 attackers to harvest Active Directory credentials, which allowed them to gain additional privileges and move through the network.
In addition to the credentials stealers, victims who opened the fake resume document would be directed to a malicious domain controlled by the attackers. After several more redirects, additional code was installed on the infected devices, which would then deliver the SDBbot RAT.
IBM X-Force notes that this campaign revived older tactics that TA505 used to spread other Trojans, such as Dridex and The Trick, as well as Locky and Jaff ransomware (see: Two Russians Indicted Over $100M Dridex Malware Thefts).
TA505, which is also referred to as Hive0065 by IBM X-Force, is a financially motivated cybercrime group that has been active since at least 2014 and believed to be operating out of Russia.
In March, the security firm Proofpoint reported that that TA505 was using COVID-19 as a lure to target U.S. healthcare, manufacturing and pharmaceuticals industries, spreading malware and ransomware.
Also in March, Prevailion found that TA505 group was using Trojanized resumes to target German enterprises to compromise networks and conduct business email compromise fraud (see: BEC Campaign Targets HR Departments: Report)