New SDBot Remote Access Trojan Used in TA505 Malspam Campaigns

[SwissMiss]

New SDBot Remote Access Trojan Used in TA505 Malspam Campaigns

 

Researchers discovered two new malware strains distributed via phishing campaigns carried out by the TA505 hacking group during the last two months, a new downloader dubbed Get2 and an undocumented remote access Trojan (RAT) named SDBbot.

 

Starting September 2019, Proofpoint researchers found that the notorious TA505 cybercriminal group launched a series of new malspam campaigns attempting to drop and infect their targets with the new Get2 malware loader.

 

Attackers used this new downloader to deliver other malware payloads including FlawedGrace, FlawedAmmyy, Snatch, and the new SDBbot RAT as second-stage payloads to compromised systems.

 

Proofpoint says that this malicious behavior follows a pattern first observed in 2018 when the researches found that numerous bad actors began ramping up their distribution of "downloaders, backdoors, information stealers, remote access Trojans (RATs), and more" after slowly abandoning ransomware as a primary payload in attacks.

 

TA505 malspam campaigns

 

The TA505 threat actor was among the first ones to begin this new trend with the distribution of their new ServHelper backdoor in November 2018, as well as a new malware loader dubbed AndroMut as Proofpoint reported in July.

 

Last but not least, in September 2019, the researchers spotted new TA505 activity trying to drop the new C++ based Get2 loader as part of new malspam campaigns.

 

"Successive campaigns used different export names such as Amway, Hadno, Seven, and Wakeup," says Proofpoint. "The downloader collects basic system information and sends it via an HTTP POST request to a hardcoded command and control (C&C) server."

Malspam campaigns directed at new targets

In early September, Proofpoint observed tens of thousands of phishing emails part of a new TA505 campaign delivering Microsoft Excel attachments to English and Greek-speaking targets from financial institutions in "Greece (a new country target for TA505), Singapore, United Arab Emirates, Georgia, Sweden, Lithuania, and a few other countries."

 

This is also the time when Proofpoint's research team also started observing the TA505 actors actively using their new Get2 malware as the initial downloader in their attacks.

 

Later that month, on September 20, they started seeing hundreds of thousands of emails with English and French baits distributing malicious Microsoft Excel and .ISO attachments to targets from several industry sectors from the U.S. and Canada.

 

Phishing email sample

 

The first major change came on October 7 when the attackers started using links generated using URL shorteners routing their targets to landing pages that requested them to download malicious Excel sheets with request.xls file names. 

 

This campaign also used the Get2 loader as the first stage payload but it also started delivering the new SDBot RAT malware to "companies from various industries primarily in the United States."

New second-stage RAT payloads

TA505's SDBbot RAT is also developed using C++ and was named after the filename of "the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll)"

 

SDBot uses application shimming for persistence, a technique that "can be used to Bypass User Account Control (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress)."

 

This, in turn, makes it possible for attackers to elevate privileges for malicious processes, to install backdoors on infected systems, as well as to disable anti-malware solutions Windows Defender.

 

SDBot is a modular malware as it uses an installer, a loader, and a RAT component, with the installer being used to store the RAT component within a compromised device's registry and for establishing persistence for the loader component which executes the RAT payload.

 

This new RAT malware "has some typical RAT functionality such as command shell, video recording of the screen, remote desktop, port forwarding, and file system access," and it uses plain text for storing command and control (C2) server information, as well as for communicating over TCP port 443.

 

Excel spreadsheet used to drop the Get2 downloader payload

 

To recap, TA505's September and October campaigns first started downloading the group's common payloads including FlawedGrace and FlawedAmmyy but later switched to the new SDBbot RAT starting with October 7.

 

As Proofpoint found, TA505 keeps adopting new Tactics, Techniques and Procedures (TTPs), and new malicious payloads to their attacks:

 

• TA505 continues to focus on targeting financial institutions alternating with more widely-targeted campaigns going after other verticals.
• New geographical targeting includes Greece, Germany, and Georgia.
• New Microsoft Office macros are used specifically with the Get2 downloader.

 

"Over the last two years, Proofpoint researchers have observed TA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking Trojans," says the report.

 

"With this recently observed October 2019 Apush by TA505 with attacks on a wide range of verticals and regions, the actor’s usual “follow the money” behavioral pattern remains consistent."

 

A full list of indicators of compromise (IOCs) including sample hashes, together with C2 domains and IP addresses are available at the end of Proofpoint's report on the new Get2 downloader and SDBbot RAT malware.

Ransomware, Trojans, and RATs

The TA505 threat group is known to have been active since at least Q3 2014 [1, 2] and for mainly focusing on attacking financial institutions and retail companies via large-sized malicious spam campaigns disseminated using the Necurs botnet.

 

Their malspam attacks have distributed remote access Trojans (RATs) and malware downloaders that dropped the Dridex and Trick banking Trojans, as well as Locky and Jaff ransomware on their targets' systems. [1, 2]

 

In April this year, TA505 ran a spear-phishing campaign targeting a financial institution with the help of a signed version of the ServHelper backdoor, as well as several LOLBins designed to help the operation evade detection.

 

Indicators of compromise (IOCs) including malware sample hashes, domains, and URLs TA505 used their 2019 malspam campaigns are provided by Proofpoint here and by Trend Micro here.

 

Microsoft also shared a series of IOCs including hashes of the digitally signed executables and of the FlawedAmmyy RAT payloads used in the TA505 campaign they detected in late June.

 

 

Source: New SDBot Remote Access Trojan Used in TA505 Malspam Campaigns