- The prominent and sophisticated TA505 has returned to distributing large volumes of malicious emails affecting most industries.
- New tools include a KiXtart Loader, the MirrorBlast loader, an updated FlawedGrace variant, and updated malicious Excel attachments.
Since early September 2021, Proofpoint researchers are tracking renewed malware campaigns by the financially driven TA505. The campaigns, which are distributed across a wide range of industries, started with low volume email waves that ramped up in late September, resulting in tens to hundreds of thousands of emails.
Many of the campaigns, especially the large volume ones, strongly resemble the historic TA505 activity from 2019 and 2020. The commonalities include similar domain naming conventions, email lures, Excel file lures, and the delivery of the FlawedGrace remote access trojan (RAT). The campaigns also contain some noteworthy, new developments, such as retooled intermediate loader stages scripted in Rebol and KiXtart, which are used instead of the previously popular Get2 downloader. The new downloaders perform similar functionality of reconnaissance and pulling in the next stages. Lastly, there is an updated version of FlawedGrace.
The initial campaigns observed by Proofpoint in September 2021 were comparatively small in volume, several thousand emails per wave, and delivered malicious Excel attachments. In late September and in early October 2021 this changed, and TA505 began sending higher email volumes, tens to hundreds of thousands, to more industries. Additionally, the actor began leveraging both URL and attachment-based email campaigns.
September 2021 Campaigns
The early campaigns identified by Proofpoint in September 2021 were low volume compared to typical TA505 activity, with only several thousand messages per wave. TA505 used more specific lures that did not affect as many industries as the more recent October 2021 campaigns. Example lures included legal, media release, situation report, and health claim themes.
The emails contained an Excel attachment that, when opened and macros enabled, would lead to the download and running of an MSI file. The MSI file in turn would execute an embedded Rebol loader, dubbed by Proofpoint as MirrorBlast.
October 2021 Campaigns
In late September and throughout October 2021, Proofpoint observed a shift to familiar TA505 tactics, techniques, and procedures (TTPs) that are reminiscent of the actor’s 2019 and 2020 campaigns. An additional intermediary loader scripted in KiXtart was introduced, and the attack chain evolved to the following:
- An email containing one of the below:
- Excel attachment
- HTML attachment that links to the download of an Excel file
- URL linking to a landing page that redirects to the download of an Excel file
- URL directly linking to an Excel file
- The Excel file macros download and run an MSI file
- The MSI file executes an embedded KiXtart loader
- The KiXtart loader receives a command from the C&C server to download another MSI file that executes MirrorBlast
- MirrorBlast then downloads additional Rebol script stagers
- The follow-on Rebol stagers drop ReflectiveGnome
- ReflectiveGnome in turn downloads more shellcode, that will then drop and detonate FlawedGrace
The email lures moved away from the detailed lures seen initially in this spate of campaigns. They became more generic, with subjects such as “SECUREFILE,” “SECURE DOCUMENT,” and “You’ve been sent a secure message.” Additionally, the themes and abused brands included COVID-19, DocuSign, insurance, invoices, and Microsoft.
Excel Macros Analysis
For TA505’s 2021 campaigns to be successful, potential victims must enable macros after opening the malicious Excel files. The code responsible for downloading the next stage MSI file was typically lightly obfuscated with filler characters, string reversing or similar simple functions and hidden in the document Comments, Title, in a Cell or other locations.
Proofpoint attributes the campaigns discussed in this blog to TA505 with high confidence. Proofpoint’s assessment that TA505 is responsible for this renewed activity is based on the aforementioned similarities between historic TA505 campaigns and this new activity, including, but not limited to, code similarities, domain naming patterns and the use of FlawedGrace, which has been almost exclusively linked to TA505 activity.
TA505 is an established threat actor that is financially motivated and known for conducting malicious email campaigns on a previously unprecedented scale. The group regularly changes their TTPs and are considered trendsetters in the world of cybercrime. This threat actor does not limit its target set, and is, in fact, an equal opportunist with the geographies and verticals it chooses to attack. This combined with TA505’s ability to be flexible, focusing on what is the most lucrative and shifting its TTPs as necessary, make the actor a continued threat.
Proofpoint researchers expect TA505 to continue to adjust its operations and methods always with an eye to financial gain. Using intermediate loaders in its attack chain is also likely to become a longer-term technique employed by the threat actor.