This week the Nuspire Security Analytics Team observed a new spike on TA505 activity targeting industries such as Finance, Automotive, Healthcare, and Government, among others. The threat group has modified and stabilized their social engineering technique, they were observed sending emails with an attached HTML page that contained malicious JavaScript code, which directed the victims to a compromised website that mimicked legitimate website pages, such as OneDrive, Dropbox, or Naver, through a compromised machine controlled by the intrusion set.
Nuspire continues to monitor threat actors and new and renewed exploits to share potential ways to mitigate risks. Also, the company recently published its Q2 Threat Report highlighting the increase in both botnet and exploit activity over the course of Q2 2020 by 29% and 13% respectively.
The current activity of TA505 is highly reliant on malspam campaigns that disguise themselves as known products, such as Citrix and Dropbox, to lure users into their trap. As their initial method, they focus their attention on how to trick users into believing spam emails are legitimate. Organizations need to pay special attention to the variety of malware TA505 could use during this initial stage of their attacks, such as Quant Loader, Marap, Amadey, and AndroMut. Once that stage is successful, the group uses botnets to deploy malware that, once installed, would allow them to move laterally within the compromised network and elevate their privileges.
Since the first stage TA505 relies on affects users directly, I recommend emphasizing user training and awareness to combat this type of threat. Provide phishing and social engineering awareness training to all employees, especially in the context of macro-based office documents.
TA505 is targeting industries like finance, healthcare, and the government among others. To mitigate potential risks, I recommend a layered security approach, which will help identify these threats at multi-levels of the cyber kill chain, deploy and monitor next-gen antivirus with heuristics and behavioral analysis to complement signatures. Threat hunting should also be a part of the security strategy. Taking the known attacker methods, in this case, TA505 post-infection activity, and apply those to your environment. For example, if we know TA505 has been communicating with a set of domains/IPs for C2 communication we can utilize that during our hunt to prevent it takes place.