TECH
Pro Hacking Groups Are Pivoting To New Form Of Malware With 'AndroMut', Targeting Financial Information And Banks Using Social EngineeringA professional hacking group with sophisticated techniques to perform phishing and other forms of malware attacks appears to be altering its direction. TA505 group of hackers has pivoted using a new form of malicious code named AndroMut. Interestingly, the malware appears to be inspired by Andromeda. Originally designed by another hacking group, Andromeda was one of the largest malware botnets in the world as recently as in 2017. Botnets based on the Andromeda code successfully executed its payload delivery on several suspectable and vulnerable PCs running Windows Operating System. The AndroMut seems to be largely based on this very Andromeda code indicating a possible collaboration between the hacker groups.
One of the world's most successful cybercriminal groups, who call themselves the TA505, appears to have altered their tactics. As part of the latest malicious campaign of attacking and stealing financial information, the group is busy distributing a new form of malware. Instead of targeting a large number of individuals, as part of the pivot, the TA505 group appears to be going after banks and other financial services. Incidentally, the point of entry or origin remains the same, but the intended target and focus appear to be on the organized financial sector. Incidentally, financial companies in the US, the United Arab Emirates and Singapore are advised to be on high alert and look for any suspicious content. Some of the most common points of the attack remain to be official-looking emails.
TA505 Group Uses Andromeda Base To Develop And Deploy AndroMut
The infamous TA505 group appears to have increased its intensity during the last month and has continued with the same ferocity. It is no longer attempted to deploy random waves of attacks that attempt to gain control of victims' machines. In other words, mass phishing emails are no longer the preferred tactics. Instead, the TA505 group has significantly reduced the volume of attacks and has clearly switched to more targeted attacks.
Based on the analysis of several suspected e-mails and other forms of electronic communication and media, cyber-security researchers at Proofpoint have indicated that the group of hackers appears to be targeting employees of banks and other financial service providers. The researchers also uncovered the usage of a new form of sophisticated malware. The researchers are calling it AndroMut and have discovered that the malware has quite a few similarities with Andromeda. Designed and deployed by an entirely different group of hackers, Andromeda has been one of the most successfully executed, dangerous and one of the largest network of malware botnets in the world. Up until 2017, Andromeda was spreading prolifically, and successfully installing itself on vulnerable PCs running the Windows operating system.
How Is The TA505 Group Executing The Malware Attack?
Like most of the other TA505 group's attacks, the new AndroMut malware is also distributed through legitimate-looking emails. The phishing attacks involve emails that look and feel highly official and authentic. Such emails usually claim to contain invoices and other documents purporting to be related to banking and finance. Emails used in phishing are often painstakingly created. Although several emails contain the popular PDF document, phishing emails from the TA505 group seem to rely on Word documents.
What Is AndroMut And How Does The Multi-Stage Malware Work?
TA505 is currently using AndroMut as the first stage in a two-stage attack. In other words, AndroMut is the first part of a successful infection and control of victims' computers. Once successful in penetration, AndroMut uses the infection to discreetly drop a second payload onto the compromised machine. The second payload of malicious code is called FlawedAmmyy. Essentially, FlawedAmmyy is a powerful and efficient Remote Access Trojan or RAT.
The aggressive second-stage RAT FlawedAmmyy is a virulent malware that grants remote access to the victims' computers. Attackers can gain remote Administrative privileges. Once inside, attackers have complete access to files, credentials and more.
Incidentally, the data, in itself, is not the target. In other words, stealing data is not the primary intention. The TA505 is part of the pivot group, which grants them access to the internal network of banks and other financial institutions.
This #hacking gang just switched its #malware attacks to a new target
The #TA505 group has changed tactics again its latest email #phishing campaign | #cybersecurity #infosec #AndroMut zdnet.com/article/this-h…
See Ragesh Shanavas's other Tweets
TA505 Group Is Following The Money, Say Experts:
"A505's move to primarily distributing RATs and downloaders in much more targeted campaigns than they previously employed with banking Trojans and ransomware suggests the fundamental shift in their tactics. Essentially the group is going after higher quality infections with the potential for longer-term monetization - quality over quantity. "
Cybercriminals are essentially fine-tuning their attacks, and are selecting their targets instead of undertaking massive emailing campaigns and hoping to snag victims. They are after the date, and more importantly, sensitive information, to steal money. The latest pivot is essentially just an example of hackers following the market and money. Hence the shift in strategy should not be considered permanent, observed Dawson, "What is not clear is the ultimate outcome or endgame of this shift. A505 very much follows the money, adapting to global trends and exploring new geographies and payloads to maximize their returns. " Alap Desai
No comments:
Post a Comment