BEC Campaign Targets HR Departments: ReportCybercriminal Group TA505 Sending Trojanized CV Files, Prevailian Reports
TA505, a notorious cybercriminal group believed to be operating in Russia, is using business email compromise tactics to target a new group of victims - HR departments, according to researchers from Prevailion, a security monitoring firm.
In the campaign that Prevailion researchers examined, the cybercriminal gang began sending phishing emails impersonating job applicants that contained Trojanized versions of curriculum vitae files, according to a new report. The files contained commercially available malware that allowed the attackers to disguise their movements, steal data and credentials and gave them the ability to encrypt data, the report notes.
The attacks that Prevailion examined targeted human resources departments at several German companies, but the report notes that these techniques are easily transferable to victims in other parts of the world.
"Threat actors have continued to rely upon business email compromise to initially infect their victims," according to the report. "This technique is particularly hard to defend against when malicious emails mimic normal business interactions. In this particular case, the threat actor impersonated an applicant who sought a job and attached a Trojanized version of a curriculum vitae."
TA505 is a sophisticated advanced persistent threat group that has previously targeted financial companies and retailers in several countries, including the U.S. The cybercriminal gang, which is believed to be based in Russia, has been implicated in large-scale spam campaigns, and the distribution of Trojans such as Dridex and The Trick as well as Locky and Jaff ransomware, according to researchers (see: TA505 APT Group Returns With New Techniques: Report).
Earlier this month, Microsoft along with other security firms and law enforcement took legal and technical action to disrupt Necurs, one of the largest botnets ever discovered. Researchers believe TA5050 used the botnet to spread the Dridex Trojan.
In December 2019, two members of the TA505 gang, which is also referred to Evil Corp., were charged with computer and fraud offenses by U.S. and U.K. law enforcement officials. Both men are believed to be living in Russia (see: Two Russians Indicted Over $100M Dridex Malware Thefts).
Prevailion researchers divided this new TA505 campaign into two separate "clusters" that took place throughout 2019, according to the report.
In this first cluster, the attackers sent phishing emails with the Trojanized CV files to victims. These weaponized files contained commercial available tools that the attackers could then download onto an infected device and gain control, according to the report. This allowed the gang to not only encrypt files on the infected device, but also move deeper into the network and encrypt other data as well, according to the report.
In the second cluster, the attacks became much more sophisticated, the report notes. When the TA505 attacker gained control of a device after sending the malicious CV files, they would download Netsupport, a commercially available remote administrative tool, and then embed it within the user's Google Drive account, according to the report. This allowed the gang to remotely transfer files, enable screen captures and even steal voice recording while hiding in plain site.
The researchers also found the TA505 gang used PowerShell scripts to steal credentials and credit card information as well as abusing legitimate tools such as GPG to encrypt files, giving these attack a ransomware component as well.
Capitalizing on Covid-19
The researchers also noted that in addition to refining its more standard phishing techniques, the attackers also took advantage of the COVID-19 pandemic, according security firm Proofpoint.
As with other cybercriminal activity associated with the spread of the COVID-19 virus, TA505 is using phishing emails that contain a lure related to outbreak. These messages typically contain a link or an attached document that hides a downloader, according to Proofpoint.
If the victim clicks the link or opens the file, the downloader installs on the victim's device, enabling cybercriminals to install other malware or start a ransomware attack, according to the report.
Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, tells Information Security Media Group that a third to half of all threat activity right now is using COVID-19 as a hook.
"The change and evolution we are seeing is with the social engineering lure of COVID-19 being used at scale," she says.
"Further, with companies now telling people to work from home, and schools switching to distance learning, I expect to see socially engineered lures tailored to this audience. Threat actors are really good at taking the topics of the moment and turning them into a highly convincing lure, and when you apply that with the uncertainly the coronavirus has caused, people are more likely to fall victim to these scams."