Background

Last month, QiAnXin Threat Intelligence Center captured multiple phishing emails sent by TA505 Group to target financial institutions. These phishing emails contain Excel attachments with Excel 4.0 Macro embedded and download Backdoor at last. This approach could bypass antivirus detections and we have published another report to explain it in detail: https://ti.qianxin.com/blog/articles/excel-macro-technology-to-evade-detection.

After investigation, we attribute these new attacks to TA505 Group which was named by Proofpoint[1] in September 2017 and related actions could be traced back to 2014. Based on the attacker profile, we guess TA505 group may come from Eastern European countries where Russian works as a main language. This group regularly distributes massive malicious spams to financial institutions and is notorious for spreading malwares such as Dridex and Locky. Although numerous actions have been taken in the past few years to work against them, including Dridex Botnet Takeover Operation[2][3] and disruptions to Necurs Botnet, their activities just got suppressed for some period[4] but not eliminated[5][6][7].

TA505 utilized Necurs Botnet to distribute FlawedAmmyy[8] Remote Access Trojan (RAT) since March, 2018. Earlier this month, Proofpoint delivered another report[9] and disclosed a new malware, aka ServHelper, introduced by this attack group. Samples captured by QiAnXin Threat Intelligence Center are quite similar while the difference is that they get spread through malicious Excel 4.0 Macro which makes them hard to be detected.

detections on VirusTotal

Timeline

Attack Process

Samples captured by QiAnXin Threat Intelligence Center are targeting multiple financial institutions, including Standard Bank (South Africa), BancoEstad (Chile), Bank of Maharashtra (India), Banca Fideuram (Italy), Kotak Mahindra Bank (India) and RMB Private Bank (South Africa). After analyzing those emails, we found that they were sent either through mail servers deployed on VPS or legitimate ones that seemed to be compromised. According to public resources, it seems that some of the mail servers are located in Ukraine, Moldova and Russia.

Here we take Standard Bank as an example to describe the attack process. Phishing email is sent to target with malicious Excel document as attachment. The example email looks to be sent from a fiber-optic network provider (Hiawatha Broadband Communications) and urges the target to complete all of the pending payments. As the mail looks somewhat related to the victim’s daily work, the attachment may get opened unintentionally.

The Excel attachment lures the victim to enable Macro so that the embedded malicious Excel 4.0 Macro could get executed:

Attackers hide the malicious Excel 4.0 Macro in a hidden sheet to prevent it being noticed by victims. The sheet name is in Russian:

The malicious Macro would download and execute a dropper from hxxp://office365advance.com/update. After that, it attempts to open notepad.exe to disguise its malicious behavior in the background.

Sample Analysis

Dropper（Update）

Update (MD5: 53F7BE945D5755BB628DEECB71CDCBF2) is an MSI package with a Nullsoft Installer inside. The file is digitally signed while the certificate has been withdrawn.

The Nullsoft Installer contains two files, one is a Backdoor (htpd.dat) and the other is a VBS script.

The Nullsoft script would extract htpd.dat and rds.vbs to the %temp% folder, then create help.bat file and write “rundll32.exe $TEMP\htpd.dat, bogus”.

After that, rds.vbs gets executed which finally loads the Backdoor (htpd.dat) through help.bat:

Backdoor（htpd.dat）

htpd.dat (MD5: 272C036924BC9B8F44D6158220303A23) is a DLL file with “bogus” as an export:

When the exported function “bogus” gets called, two threads are created. One to communicate with C&C server and the other to process received commands. HTTPS is used for communication with three URL-encoded parameters: “key”, “sysid”, and “resp”. The value of “key” parameter is a hard coded string “asdgdgYss455” in the malware.

Below is a breakdown of supported commands:

Attribution

After investigation, we found these attacks are carried out by TA505 Group for reasons stated below.

Among those similar samples we have captured, one of the C&C server is pointsoft[.]pw which is the same as the one mentioned by Proofpoint[9]. This server address is also marked as TA505 in our Big Data Platform:

The Backdoor uses HTTPS to communicate with C&C server with hard coded string “asdgdgYss455” as a value of URL-encoded parameter. This unique string was also used by TA505. Meanwhile, parameter names and sequences are also the same:

At last, remote commands and related functionalities also fall in line with ServHelper RAT used by TA505.

Attacker Profile

Since some of the mail servers used by TA505 Group are suspected to be located in Ukraine, Moldova and Russia, the name of the hidden sheet indicates related documents are created by Microsoft Office in Russian language, as well as their Dridex malware is traced back to Eastern Europe, we suspect TA505 may come from Eastern European countries where Russian works as a main language.

Conclusion

Almost five years have passed since the discovery of TA505 Group. Numerous actions have been taken to work against this group, but they are still active nowadays. Although the amount of related phishing emails dropped dramatically, the number could still fit their needs. They may even do so intentionally to avoid being identified as a high-priority target to be destroyed again. According to the samples we have collected, it seems that TA505 shift focus from Europe to developing countries such as South Africa and India, and they are interested in private financial institutions as well.

Considering the complex evolution of Dridex[7], as well as multiple other malwares being used, TA505 are keep investing to make their attacks effective. The Backdoor being captured this time looks more like a reconnaissance tool to identify expected victims and carry out follow up attack. As the attack scope becomes targeted, it would be harder to capture samples in the follow-up steps.

Comparing with Office 0day, using Office VBA Macro needs more user interactions to complete the attack. Although this could reduce the success rate, it is used by lots of attack groups considering the cost is much lower. It is recommended that users avoid to open documents from untrusted sources. And Office macro should be disabled by default.

Products of 360 ESG can protect users from this new malware, including QiAnXin Threat Intelligence Platform, SkyEye APT Detection, NGSOC.

IOC

References

[1]. https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter

[2]. https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation

[3]. https://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled

[4]. https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution

[5]. https://www.symantec.com/connect/blogs/dridex-financial-trojan-aggressively-spread-millions-spam-emails-each-day

[6]. https://www.symantec.com/connect/blogs/necurs-mass-mailing-botnet-returns-new-wave-spam-campaigns

[7]. https://securelist.com/dridex-a-history-of-evolution/78531/

[8]. https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware

[9]. https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

[10]. https://ti.qianxin.com/