Remote access tools are the lifeblood of a distributed enterprise. Unfortunately, the very tools that make businesses in the cloud age tick can be hijacked by threat actors to gain access to valuable data.
Cyberint researchers have been diving deep into the dark web to track the nefarious activities following the spear phishing campaign targeting large US-based retailers in 2018. Recently, we have observed a surge in TTPs utilizing legitimate remote access tools that bring a new level of sophistication to phishing campaigns targeting large retailers and financial companies. Below are the highlights from our latest report, covering the tactics, techniques, and procedures deployed by threat actors to hijack legit remote access tools.
Meet the “TA505”
TA505 is a financially motivated Russian threat actor group, targeting global retailers and financial institutions with high volume email attacks since at least 2014. The group is known for the distribution of banking Trojans such as Shifu and Dridex, as well as the massive Locky ransomware campaigns.
TA505 have helped shape the threat landscape for years, mainly because of the massive volumes associated with their campaigns. On the heels of plummeting cryptocurrency prices and reduced effectiveness of ransomware attacks, TA505 and other threat actors have returned to the tried and tested methods, such as spear phishing campaigns.
TA505 has put a new spin on the classic spear phishing campaign with the increased use of legitimate RATs to gain access to IT environments. And their most recent attacks has already been emulated by less sophisticated actors who are now conducting similar operations against a variety of victims.
The Anatomy of a Spear Phishing Attack
The latest series of attacks by TA505 targeted large US-based retailers and distributed several Trojans including Remote Manipulator System (RMS). The attack was marked by a significant change of tactics, spearheading the latest trend to utilize remote access trojans, malicious downloaders and weaponized Microsoft Office files.
The attack starts with a spear phishing email masquerading as a legitimate communication sent from a Ricoh printer. The email includes an attachment in Microsoft Word format that contains a malicious macro. Once activated, the macro prompts a payload from the attacker’s command and control server. At the final stage, the RMS RAT is installed on the victim’s machine.
This attack is unique in that each intended target receives a highly personalized attachment, a technique that until now was quite unusual and difficult to implement at scale. The attached document even contained a target company’s logo to thwart any suspicion of nefarious activity.
TA505 Goes After the Financial Industry
In another attack, TA505 employed the Remote Manipulator System (RMS) backdoor to target financial institutions across the world – Chile, India, Italy, Malawi, Pakistan, and South Korea, as well as retailers in the United States.
In a similar manner, the attack starts with a highly targeted payment related email that contains a Microsoft Excel spreadsheet. The attachment spawns a Microsoft Windows Installer, prompting a download of an additional payload from a threat actor’s command and control server.
Other Actors and Copycats
Threat actors follow the path of least resistance, and with dropping cryptocurrency values, the high return on investment in spear phishing campaigns makes this tactic extremely attractive. Companies from the retail, hospitality and food and beverage industries are favorite targets since they handle a lot of payment and sensitive customer data.
Phishing attacks that utilize legitimate RATs are notoriously hard to detect and defend against. As these attacks grow in both scale and sophistication, enterprises must become more proactive and resourceful when it comes to cyber defense.
Recently, we have observed both TA505 and a number of other actors focus on downloaders, RATs, and banking Trojans, often accompanied by targeted and highly personalized spear phishing campaigns.