返回 TI 主页

Background

Last month, 360 Threat Intelligence Center captured multiple phishing emails sent by TA505 Group to target financial institutions. These phishing emails contain Excel attachments with Excel 4.0 Macro embedded and download Backdoor at last. This approach could bypass antivirus detections and we have published another report to explain it in detail: https://ti.360.net/blog/articles/excel-macro-technology-to-evade-detection.

After investigation, we attribute these new attacks to TA505 Group which was named by Proofpoint[1] in September 2017 and related actions could be traced back to 2014. Based on the attacker profile, we guess TA505 group may come from Eastern European countries where Russian works as a main language. This group regularly distributes massive malicious spams to financial institutions and is notorious for spreading malwares such as Dridex and Locky. Although numerous actions have been taken in the past few years to work against them, including Dridex Botnet Takeover Operation[2][3] and disruptions to Necurs Botnet, their activities just got suppressed for some period[4] but not eliminated[5][6][7].

TA505 utilized Necurs Botnet to distribute FlawedAmmyy[8] Remote Access Trojan (RAT) since March, 2018. Earlier this month, Proofpoint delivered another report[9] and disclosed a new malware, aka ServHelper, introduced by this attack group. Samples captured by 360 Threat Intelligence Center are quite similar while the difference is that they get spread through malicious Excel 4.0 Macro which makes them hard to be detected.

detections on VirusTotal

Timeline

Attack Process

Samples captured by 360 Threat Intelligence Center are targeting multiple financial institutions, including Standard Bank (South Africa), BancoEstad (Chile), Bank of Maharashtra (India), Banca Fideuram (Italy), Kotak Mahindra Bank (India) and RMB Private Bank (South Africa). After analyzing those emails, we found that they were sent either through mail servers deployed on VPS or legitimate ones that seemed to be compromised. According to public resources, it seems that some of the mail servers are located in Ukraine, Moldova and Russia.

Here we take Standard Bank as an example to describe the attack process. Phishing email is sent to target with malicious Excel document as attachment. The example email looks to be sent from a fiber-optic network provider (Hiawatha Broadband Communications) and urges the target to complete all of the pending payments. As the mail looks somewhat related to the victim’s daily work, the attachment may get opened unintentionally.

The Excel attachment lures the victim to enable Macro so that the embedded malicious Excel 4.0 Macro could get executed:

Attackers hide the malicious Excel 4.0 Macro in a hidden sheet to prevent it being noticed by victims. The sheet name is in Russian:

The malicious Macro would download and execute a dropper from hxxp://office365advance.com/update. After that, it attempts to open notepad.exe to disguise its malicious behavior in the background.

Sample Analysis

Dropper(Update)

Update (MD5: 53F7BE945D5755BB628DEECB71CDCBF2) is an MSI package with a Nullsoft Installer inside. The file is digitally signed while the certificate has been withdrawn.

The Nullsoft Installer contains two files, one is a Backdoor (htpd.dat) and the other is a VBS script.

The Nullsoft script would extract htpd.dat and rds.vbs to the %temp% folder, then create help.bat file and write “rundll32.exe $TEMP\htpd.dat, bogus”.

After that, rds.vbs gets executed which finally loads the Backdoor (htpd.dat) through help.bat:

Backdoor(htpd.dat)

htpd.dat (MD5: 272C036924BC9B8F44D6158220303A23) is a DLL file with “bogus” as an export:

When the exported function “bogus” gets called, two threads are created. One to communicate with C&C server and the other to process received commands. HTTPS is used for communication with three URL-encoded parameters: “key”, “sysid”, and “resp”. The value of “key” parameter is a hard coded string “asdgdgYss455” in the malware.

Below is a breakdown of supported commands:

Command Description
shell Remote shell
nop Keep alive with C&C
slp Setup sleep period
load Download and execute .exe file
loaddll Download and execute .dll file
selfkill Remove itself from the compromised system

Attribution

After investigation, we found these attacks are carried out by TA505 Group for reasons stated below.

Among those similar samples we have captured, one of the C&C server is pointsoft[.]pw which is the same as the one mentioned by Proofpoint[9]. This server address is also marked as TA505 in our Big Data Platform:

The Backdoor uses HTTPS to communicate with C&C server with hard coded string “asdgdgYss455” as a value of URL-encoded parameter. This unique string was also used by TA505. Meanwhile, parameter names and sequences are also the same:

At last, remote commands and related functionalities also fall in line with ServHelper RAT used by TA505.

Attacker Profile

Since some of the mail servers used by TA505 Group are suspected to be located in Ukraine, Moldova and Russia, the name of the hidden sheet indicates related documents are created by Microsoft Office in Russian language, as well as their Dridex malware is traced back to Eastern Europe, we suspect TA505 may come from Eastern European countries where Russian works as a main language.

Conclusion

Almost five years have passed since the discovery of TA505 Group. Numerous actions have been taken to work against this group, but they are still active nowadays. Although the amount of related phishing emails dropped dramatically, the number could still fit their needs. They may even do so intentionally to avoid being identified as a high-priority target to be destroyed again. According to the samples we have collected, it seems that TA505 shift focus from Europe to developing countries such as South Africa and India, and they are interested in private financial institutions as well.

Considering the complex evolution of Dridex[7], as well as multiple other malwares being used, TA505 are keep investing to make their attacks effective. The Backdoor being captured this time looks more like a reconnaissance tool to identify expected victims and carry out follow up attack. As the attack scope becomes targeted, it would be harder to capture samples in the follow-up steps.

Comparing with Office 0day, using Office VBA Macro needs more user interactions to complete the attack. Although this could reduce the success rate, it is used by lots of attack groups considering the cost is much lower. It is recommended that users avoid to open documents from untrusted sources. And Office macro should be disabled by default.

Products of 360 ESG can protect users from this new malware, including 360 Threat Intelligence Platform, SkyEye APT Detection, 360 NGSOC.

IOC

Key String
aSDGsdgo445
asdgdgYss455
C2
vesecase.com
afsssdrfrm.pw
pointsoft.pw
Download URL
hxxp://office365advance.com/update
hxxp://office365homepod.com/genhost
hxxp://add3565office.com/rstr
Excel and eml samples
9c35e9aa9255aa2214d704668b039ef6
44dad70d844f6696fc148a7330df4b21
fee0b31cc956f083221cb6e80735fcc5
4c400910031ee3f12d9958d749fa54d5
2e0d13266b45024153396f002e882f15
26f09267d0ec0d339e70561a610fb1fd
09e4f724e73fccc1f659b8a46bfa7184
18c2adfc214c5b20baf483d09c1e1824
8cd3b60b167de2897aa6abf75b643d48
2cb8e5d871f5d6c1a8d88b1fb7372eb0
e9130a2551dd030e3c0d7bb48544aaea
9b0cc257a245f04bcd3766750335ad0c
9888d1109d6d52e971a3a3177773efaa
be021b903653aa4b2d4b99f3dbc986f0
2036a9e088d16e8ac35614946034b1a5
ef5741c4b96ef9498357dc4d33498163
e84f6742f566ccaa285c4f2b8d20a77c
Backdoor
53F7BE945D5755BB628DEECB71CDCBF2
5B7244C47104F169B0840440CDEDE788
E00499E21F9DCF77FC990400B8B3C2B5
272C036924BC9B8F44D6158220303A23
C6774C1417BE2E8B7D14BAD13911D04B
cc29adb5b78300b0f17e566ad461b2c7
Digital signature
Name: "VAL TRADEMARK TWO LIMITED"
Serial number:6e 91 95 0d d1 1f df 27 96 83 df b2 b4 9b 2f 47
Thumbprint:39 ca 0e 49 d4 01 77 4b 2b bf ea 16 27 60 7e 6e 6b dc 07 6f
Name: MASTER LIM LTD
Serial number:00 8e 3e 9a 2f e7 3c 91 98 5b 4f 90 d5 95 77 cd 6c
Thumbprint:26 0c 8d 47 00 3c a3 8a f0 54 53 f5 96 7a 8e 03 85 7f 04 88

References

[1]. https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter

[2]. https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation

[3]. https://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled

[4]. https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution

[5]. https://www.symantec.com/connect/blogs/dridex-financial-trojan-aggressively-spread-millions-spam-emails-each-day

[6]. https://www.symantec.com/connect/blogs/necurs-mass-mailing-botnet-returns-new-wave-spam-campaigns

[7]. https://securelist.com/dridex-a-history-of-evolution/78531/

[8]. https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware

[9]. https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

[10]. https://ti.360.net/

TA505 SERVHELPER MACRO