Investigators from CyberInt Research have identified further activities by the suspected Russian-speaking cyber-gang TA505, targeting financial institutions in Chile. The cyber-gang is continuing its "unauthorized and nefarious use of the same TTPs of legit software, this time leveraging MSI Installer to deploy the AMADAY malware family," according to the company.
The AMADAY implant allows cyber-criminals to steal financial institutions’ and retailers’ clients’ email correspondence and sensitive information. This further enables them to steal contact lists, allowing them to target additional organizations by sending seemingly legitimate malicious emails that appear to come from trusted sources.
TA505 has been active since 2014, with high-volume malicious email campaigns distributing the Dridex and Shifu banking Trojans, as well as the Neutrino botnet/exploit kit and Locky ransomware. They appeared again as the source for recent attacks against the global financial and retail industry from December 2018 to present, with attacks worldwide, including India, Italy, Malawi, Pakistan, South Korea and the United States.
“TA505 is highly motivated, very clever, and persistent,” says Adi Peretz, head of research at CyberInt. “It’s critical to monitor their activities to anticipate further attacks. Once the pattern of attacks in Chile was identified, other financial institutions can beef up their security, so they don’t end up being breached."
“Social engineering works because it recruits the weakest link in any cybersecurity operation – we humans,” continues Peretz. “The more prepared companies are, the better they can train their people to maintain security.”
In April 2019, Infosecurity Magazine reported that TA505 was using a TektonIT remote administration tool to target financial and retail institutions. CyberInt found that the tool was "virtually undetectable" by threat protection systems due to it being "legitimate software."
"Tried and tested attack patterns appear to be consistent across these recently observed campaigns and commence with the delivery of phishing emails that have lure document attachments," according to a CyberInt report. "Utilising legitimate logos, language and terminology consistent with common business interactions or the target organization, the email encourages the potential victim to open the lure document attachment which in turn instructs them to disable security controls within Microsoft Office to allow a nefarious macro to be executed."