TA505 has ramped up activity to deliver a new variant of the Remote Access Trojan (RAT) FlawedGrace, an updated malicious Excel attachment, and other new tools. The new email campaign, which shows similarities to TA505’s campaigns in 2019 and 2020, is now being distributed across a wide range of industries including finance, legal, education and others.
The campaign has largely focused on Europe and North America. The volumes of the current campaign, which started in late September, are relatively low in comparison to campaigns from previous years. Proofpoint researchers believe the first waves of malicious emails detected may be a testing phase only, suggesting that there may be more to come.
Sherrod DeGrippo is the Sr. Director of Threat Research and Detection for Proofpoint, said:
“Tracking TA505 is one of life’s guilty little pleasures. They are a trailblazer in the world of cybercrime, regularly changing up their tactics, techniques, and procedures. While this recent bout of campaigns is reminiscent of their activity from 2019 and 2020, it doesn’t lack for some intriguing, new elements. In addition to updating FlawedGrace, they also overhauled their intermediate loader stages, replacing trusty Get2 with several new downloaders that are coded in unusual scripting languages.
“It’s also important to note that TA505 is known for conducting malicious email campaigns at previously unprecedented levels—hundreds of thousands of emails in a single campaign. The low volume campaigns in September 2021 still numbered in the thousands and were likely TA505 just getting spun up. Think of it as a testing phase that Proofpoint analysts observed, in which TA505 was experimenting with their attack chain.”